{"id":128179,"date":"2026-06-09T07:14:15","date_gmt":"2026-06-09T07:14:15","guid":{"rendered":"https:\/\/www.dumpsbase.com\/freedumps\/?p=128179"},"modified":"2026-06-09T07:14:18","modified_gmt":"2026-06-09T07:14:18","slug":"nse6_fsm_an-7-4-free-dumps-part-1-q1-q40-v8-02-for-fortinet-fortisiem-7-4-analyst-exam-preparation-2026","status":"publish","type":"post","link":"https:\/\/www.dumpsbase.com\/freedumps\/nse6_fsm_an-7-4-free-dumps-part-1-q1-q40-v8-02-for-fortinet-fortisiem-7-4-analyst-exam-preparation-2026.html","title":{"rendered":"NSE6_FSM_AN-7.4 Free Dumps (Part 1, Q1-Q40) V8.02 for Fortinet FortiSIEM 7.4 Analyst Exam Preparation 2026"},"content":{"rendered":"\n<p>The Fortinet NSE 6 &#8211; FortiSIEM 7.4 Analyst (NSE6_FSM_AN-7.4) is available for your FCSS &#8211; Security Operations certification track. Details can be found in our article \u201c<strong><em><a href=\"https:\/\/www.dumpsbase.com\/news\/nse6-fsm-an-7-4-exam-dumps-fortinet-nse-6-fortisiem-7-4-analyst-practice-questions-and-update-system.html\">NSE6_FSM_AN-7.4 Exam Dumps: Fortinet NSE 6 &#8211; FortiSIEM 7.4 Analyst Practice Questions and Update System Overview 2026<\/a><\/em><\/strong>\u201d. You can trust that we have the latest NSE6_FSM_AN-7.4 dumps (V8.02) with 200 practice questions and answers, providing a smart and efficient way for you to master key concepts and improve exam readiness. These dumps are designed with structured questions and accurate answers that simulate real exam scenarios, helping learners build confidence and identify knowledge gaps. Before downloading the full version, you can check the free demo questions to check the quality. So start today, we will share free dumps online, helping you verify the questions and review the answers first.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">NSE6_FSM_AN-7.4 free dumps (Part 1, Q1-Q40) of V8.02 come first, including 40 free demo questions:<\/h2>\n\n\n<script>\n\t  window.fbAsyncInit = function() {\n\t    FB.init({\n\t      appId            : '622169541470367',\n\t      autoLogAppEvents : true,\n\t      xfbml            : true,\n\t      version          : 'v3.1'\n\t    });\n\t  };\n\t\n\t  (function(d, s, id){\n\t     var js, fjs = d.getElementsByTagName(s)[0];\n\t     if (d.getElementById(id)) {return;}\n\t     js = d.createElement(s); js.id = id;\n\t     js.src = \"https:\/\/connect.facebook.net\/en_US\/sdk.js\";\n\t     fjs.parentNode.insertBefore(js, fjs);\n\t   }(document, 'script', 'facebook-jssdk'));\n\t<\/script><script type=\"text\/javascript\" >\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \nif(!window.jQuery) alert(\"The important jQuery library is not properly loaded in your site. Your WordPress theme is probably missing the essential wp_head() call. You can switch to another theme and you will see that the plugin works fine and this notice disappears. If you are still not sure what to do you can contact us for help.\");\n});\n<\/script>  \n  \n<div  id=\"watupro_quiz\" class=\"quiz-area single-page-quiz\">\n<p id=\"submittingExam12498\" style=\"display:none;text-align:center;\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\"><\/p>\n\n<div class=\"watupro-exam-description\" id=\"description-quiz-12498\"><\/div>\n\n<form action=\"\" method=\"post\" class=\"quiz-form\" id=\"quiz-12498\"  enctype=\"multipart\/form-data\" >\n<div class='watu-question ' id='question-1' style=';'><div id='questionWrap-1'  class='   watupro-question-id-486446'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>1. <\/span>A SOC analyst is reviewing a failed VPN login event in FortiSIEM. The analyst needs to quickly search for other events with the same source IP, user, and login result during the last 60 minutes. <br \/>\r<br>Which action best supports this investigation?<\/div><input type='hidden' name='question_id[]' id='qID_1' value='486446' \/><input type='hidden' id='answerType486446' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486446[]' id='answer-id-1878739' class='answer   answerof-486446 ' value='1878739'   \/><label for='answer-id-1878739' id='answer-label-1878739' class=' answer'><span>Add the event to a static report<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486446[]' id='answer-id-1878740' class='answer   answerof-486446 ' value='1878740'   \/><label for='answer-id-1878740' id='answer-label-1878740' class=' answer'><span>Pivot from the selected event fields<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486446[]' id='answer-id-1878741' class='answer   answerof-486446 ' value='1878741'   \/><label for='answer-id-1878741' id='answer-label-1878741' class=' answer'><span>Change the incident clear condition<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486446[]' id='answer-id-1878742' class='answer   answerof-486446 ' value='1878742'   \/><label for='answer-id-1878742' id='answer-label-1878742' class=' answer'><span>Rebuild the related device group<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-2' style=';'><div id='questionWrap-2'  class='   watupro-question-id-486447'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>2. <\/span>An analyst needs a rule that detects several failed logins followed by a successful login from the same source and same user. <br \/>\r<br>Which structure best fits the requirement?<\/div><input type='hidden' name='question_id[]' id='qID_2' value='486447' \/><input type='hidden' id='answerType486447' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486447[]' id='answer-id-1878743' class='answer   answerof-486447 ' value='1878743'   \/><label for='answer-id-1878743' id='answer-label-1878743' class=' answer'><span>Linked subpatterns with shared fields<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486447[]' id='answer-id-1878744' class='answer   answerof-486447 ' value='1878744'   \/><label for='answer-id-1878744' id='answer-label-1878744' class=' answer'><span>One threshold on all login events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486447[]' id='answer-id-1878745' class='answer   answerof-486447 ' value='1878745'   \/><label for='answer-id-1878745' id='answer-label-1878745' class=' answer'><span>One success pattern with grouping<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486447[]' id='answer-id-1878746' class='answer   answerof-486447 ' value='1878746'   \/><label for='answer-id-1878746' id='answer-label-1878746' class=' answer'><span>Two rules with separate incidents<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-3' style=';'><div id='questionWrap-3'  class='   watupro-question-id-486448'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>3. <\/span>An analyst searches for failed logins and groups the results by source IP. The output shows a high count from a known vulnerability scanner. The team wants future searches to keep the events but mark scanner traffic separately. <br \/>\r<br>What should the analyst use?<\/div><input type='hidden' name='question_id[]' id='qID_3' value='486448' \/><input type='hidden' id='answerType486448' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486448[]' id='answer-id-1878747' class='answer   answerof-486448 ' value='1878747'   \/><label for='answer-id-1878747' id='answer-label-1878747' class=' answer'><span>Incident clear rules<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486448[]' id='answer-id-1878748' class='answer   answerof-486448 ' value='1878748'   \/><label for='answer-id-1878748' id='answer-label-1878748' class=' answer'><span>Collector health status<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486448[]' id='answer-id-1878749' class='answer   answerof-486448 ' value='1878749'   \/><label for='answer-id-1878749' id='answer-label-1878749' class=' answer'><span>Lookup table enrichment<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486448[]' id='answer-id-1878750' class='answer   answerof-486448 ' value='1878750'   \/><label for='answer-id-1878750' id='answer-label-1878750' class=' answer'><span>Report delivery settings<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-4' style=';'><div id='questionWrap-4'  class='   watupro-question-id-486449'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>4. <\/span>A rule stopped triggering after the SOC added an exclusion for approved jump hosts. Manual searches still show suspicious activity from unapproved hosts. <br \/>\r<br>What should be checked first?<\/div><input type='hidden' name='question_id[]' id='qID_4' value='486449' \/><input type='hidden' id='answerType486449' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486449[]' id='answer-id-1878751' class='answer   answerof-486449 ' value='1878751'   \/><label for='answer-id-1878751' id='answer-label-1878751' class=' answer'><span>Incident severity value<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486449[]' id='answer-id-1878752' class='answer   answerof-486449 ' value='1878752'   \/><label for='answer-id-1878752' id='answer-label-1878752' class=' answer'><span>Notification recipient<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486449[]' id='answer-id-1878753' class='answer   answerof-486449 ' value='1878753'   \/><label for='answer-id-1878753' id='answer-label-1878753' class=' answer'><span>Dashboard filter scope<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486449[]' id='answer-id-1878754' class='answer   answerof-486449 ' value='1878754'   \/><label for='answer-id-1878754' id='answer-label-1878754' class=' answer'><span>Exclusion logic scope<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-5' style=';'><div id='questionWrap-5'  class='   watupro-question-id-486450'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>5. <\/span>An analyst must show whether failed logins are concentrated on a few target systems or distributed broadly. <br \/>\r<br>Which view best answers the question?<\/div><input type='hidden' name='question_id[]' id='qID_5' value='486450' \/><input type='hidden' id='answerType486450' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486450[]' id='answer-id-1878755' class='answer   answerof-486450 ' value='1878755'   \/><label for='answer-id-1878755' id='answer-label-1878755' class=' answer'><span>Events sorted by receive time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486450[]' id='answer-id-1878756' class='answer   answerof-486450 ' value='1878756'   \/><label for='answer-id-1878756' id='answer-label-1878756' class=' answer'><span>Inventory sorted by model<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486450[]' id='answer-id-1878757' class='answer   answerof-486450 ' value='1878757'   \/><label for='answer-id-1878757' id='answer-label-1878757' class=' answer'><span>Incidents grouped by owner<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486450[]' id='answer-id-1878758' class='answer   answerof-486450 ' value='1878758'   \/><label for='answer-id-1878758' id='answer-label-1878758' class=' answer'><span>Targets grouped by count<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-6' style=';'><div id='questionWrap-6'  class='   watupro-question-id-486451'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>6. <\/span>A search shows many denied outbound events from one workstation. The analyst needs to determine whether the host is probing many systems or repeatedly hitting one service. <br \/>\r<br>Which grouping should be added?<\/div><input type='hidden' name='question_id[]' id='qID_6' value='486451' \/><input type='hidden' id='answerType486451' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486451[]' id='answer-id-1878759' class='answer   answerof-486451 ' value='1878759'   \/><label for='answer-id-1878759' id='answer-label-1878759' class=' answer'><span>Incident owner and status<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486451[]' id='answer-id-1878760' class='answer   answerof-486451 ' value='1878760'   \/><label for='answer-id-1878760' id='answer-label-1878760' class=' answer'><span>Collector name and version<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486451[]' id='answer-id-1878761' class='answer   answerof-486451 ' value='1878761'   \/><label for='answer-id-1878761' id='answer-label-1878761' class=' answer'><span>Destination IP and port<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486451[]' id='answer-id-1878762' class='answer   answerof-486451 ' value='1878762'   \/><label for='answer-id-1878762' id='answer-label-1878762' class=' answer'><span>Report name and folder<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-7' style=';'><div id='questionWrap-7'  class='   watupro-question-id-486452'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>7. <\/span>A search groups deny events by source IP and destination port, then applies a count aggregation. <br \/>\r<br>What does the count represent?<\/div><input type='hidden' name='question_id[]' id='qID_7' value='486452' \/><input type='hidden' id='answerType486452' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486452[]' id='answer-id-1878763' class='answer   answerof-486452 ' value='1878763'   \/><label for='answer-id-1878763' id='answer-label-1878763' class=' answer'><span>The number of devices reporting logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486452[]' id='answer-id-1878764' class='answer   answerof-486452 ' value='1878764'   \/><label for='answer-id-1878764' id='answer-label-1878764' class=' answer'><span>The number of unique firewall rules<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486452[]' id='answer-id-1878765' class='answer   answerof-486452 ' value='1878765'   \/><label for='answer-id-1878765' id='answer-label-1878765' class=' answer'><span>The events in each grouped pair<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486452[]' id='answer-id-1878766' class='answer   answerof-486452 ' value='1878766'   \/><label for='answer-id-1878766' id='answer-label-1878766' class=' answer'><span>The incidents opened per device<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-8' style=';'><div id='questionWrap-8'  class='   watupro-question-id-486453'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>8. <\/span>A rule should detect administrative logons from nonapproved sources. Approved jump hosts are stored in a lookup table. <br \/>\r<br>What should the rule compare?<\/div><input type='hidden' name='question_id[]' id='qID_8' value='486453' \/><input type='hidden' id='answerType486453' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486453[]' id='answer-id-1878767' class='answer   answerof-486453 ' value='1878767'   \/><label for='answer-id-1878767' id='answer-label-1878767' class=' answer'><span>User role to severity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486453[]' id='answer-id-1878768' class='answer   answerof-486453 ' value='1878768'   \/><label for='answer-id-1878768' id='answer-label-1878768' class=' answer'><span>Source host to lookup<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486453[]' id='answer-id-1878769' class='answer   answerof-486453 ' value='1878769'   \/><label for='answer-id-1878769' id='answer-label-1878769' class=' answer'><span>Target host to parser<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486453[]' id='answer-id-1878770' class='answer   answerof-486453 ' value='1878770'   \/><label for='answer-id-1878770' id='answer-label-1878770' class=' answer'><span>Event type to report<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-9' style=';'><div id='questionWrap-9'  class='   watupro-question-id-486454'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>9. <\/span>A malware search includes both production systems and lab systems. Production status is maintained as an asset attribute in FortiSIEM. <br \/>\r<br>How should the analyst limit the results?<\/div><input type='hidden' name='question_id[]' id='qID_9' value='486454' \/><input type='hidden' id='answerType486454' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486454[]' id='answer-id-1878771' class='answer   answerof-486454 ' value='1878771'   \/><label for='answer-id-1878771' id='answer-label-1878771' class=' answer'><span>Filter by incident owner<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486454[]' id='answer-id-1878772' class='answer   answerof-486454 ' value='1878772'   \/><label for='answer-id-1878772' id='answer-label-1878772' class=' answer'><span>Use CMDB asset context<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486454[]' id='answer-id-1878773' class='answer   answerof-486454 ' value='1878773'   \/><label for='answer-id-1878773' id='answer-label-1878773' class=' answer'><span>Match the report category<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486454[]' id='answer-id-1878774' class='answer   answerof-486454 ' value='1878774'   \/><label for='answer-id-1878774' id='answer-label-1878774' class=' answer'><span>Change the collector group<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-10' style=';'><div id='questionWrap-10'  class='   watupro-question-id-486455'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>10. <\/span>A SOC analyst wants to detect internal hosts using unauthorized NTP servers. Approved NTP servers are maintained in a lookup table. <br \/>\r<br>Which search design is best?<\/div><input type='hidden' name='question_id[]' id='qID_10' value='486455' \/><input type='hidden' id='answerType486455' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486455[]' id='answer-id-1878775' class='answer   answerof-486455 ' value='1878775'   \/><label for='answer-id-1878775' id='answer-label-1878775' class=' answer'><span>Search all NTP events by time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486455[]' id='answer-id-1878776' class='answer   answerof-486455 ' value='1878776'   \/><label for='answer-id-1878776' id='answer-label-1878776' class=' answer'><span>Group approved servers only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486455[]' id='answer-id-1878777' class='answer   answerof-486455 ' value='1878777'   \/><label for='answer-id-1878777' id='answer-label-1878777' class=' answer'><span>Filter by collector hostname<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486455[]' id='answer-id-1878778' class='answer   answerof-486455 ' value='1878778'   \/><label for='answer-id-1878778' id='answer-label-1878778' class=' answer'><span>Find destinations not in lookup<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-11' style=';'><div id='questionWrap-11'  class='   watupro-question-id-486456'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>11. <\/span>A SOC analyst needs to identify hosts that contacted any destination in a threat intelligence list and then group them by business owner. <br \/>\r<br>Which combination best fits?<\/div><input type='hidden' name='question_id[]' id='qID_11' value='486456' \/><input type='hidden' id='answerType486456' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486456[]' id='answer-id-1878779' class='answer   answerof-486456 ' value='1878779'   \/><label for='answer-id-1878779' id='answer-label-1878779' class=' answer'><span>Lookup match plus CMDB grouping<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486456[]' id='answer-id-1878780' class='answer   answerof-486456 ' value='1878780'   \/><label for='answer-id-1878780' id='answer-label-1878780' class=' answer'><span>Report export plus raw sorting<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486456[]' id='answer-id-1878781' class='answer   answerof-486456 ' value='1878781'   \/><label for='answer-id-1878781' id='answer-label-1878781' class=' answer'><span>Parser status plus device uptime<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486456[]' id='answer-id-1878782' class='answer   answerof-486456 ' value='1878782'   \/><label for='answer-id-1878782' id='answer-label-1878782' class=' answer'><span>Incident closure plus notification<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-12' style=';'><div id='questionWrap-12'  class='   watupro-question-id-486457'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>12. <\/span>A failed-login rule fires during normal backup activity because known service accounts authenticate repeatedly. The events should remain searchable, but the rule should not alert on them. <br \/>\r<br>What is the best tuning action?<\/div><input type='hidden' name='question_id[]' id='qID_12' value='486457' \/><input type='hidden' id='answerType486457' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486457[]' id='answer-id-1878783' class='answer   answerof-486457 ' value='1878783'   \/><label for='answer-id-1878783' id='answer-label-1878783' class=' answer'><span>Exclude known accounts<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486457[]' id='answer-id-1878784' class='answer   answerof-486457 ' value='1878784'   \/><label for='answer-id-1878784' id='answer-label-1878784' class=' answer'><span>Reduce the threshold only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486457[]' id='answer-id-1878785' class='answer   answerof-486457 ' value='1878785'   \/><label for='answer-id-1878785' id='answer-label-1878785' class=' answer'><span>Change the incident owner<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486457[]' id='answer-id-1878786' class='answer   answerof-486457 ' value='1878786'   \/><label for='answer-id-1878786' id='answer-label-1878786' class=' answer'><span>Remove source grouping<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-13' style=';'><div id='questionWrap-13'  class='   watupro-question-id-486458'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>13. <\/span>A search result is difficult to interpret because asset names are missing and only IP addresses are shown. FortiSIEM has asset records for those IPs. <br \/>\r<br>What should the analyst check?<\/div><input type='hidden' name='question_id[]' id='qID_13' value='486458' \/><input type='hidden' id='answerType486458' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486458[]' id='answer-id-1878787' class='answer   answerof-486458 ' value='1878787'   \/><label for='answer-id-1878787' id='answer-label-1878787' class=' answer'><span>Report page margins<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486458[]' id='answer-id-1878788' class='answer   answerof-486458 ' value='1878788'   \/><label for='answer-id-1878788' id='answer-label-1878788' class=' answer'><span>CMDB enrichment mapping<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486458[]' id='answer-id-1878789' class='answer   answerof-486458 ' value='1878789'   \/><label for='answer-id-1878789' id='answer-label-1878789' class=' answer'><span>Incident assignee filters<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486458[]' id='answer-id-1878790' class='answer   answerof-486458 ' value='1878790'   \/><label for='answer-id-1878790' id='answer-label-1878790' class=' answer'><span>Notification retry values<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-14' style=';'><div id='questionWrap-14'  class='   watupro-question-id-486459'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>14. <\/span>A privilege escalation search must return events only for servers classified as critical. The classification is maintained in FortiSIEM. <br \/>\r<br>Which field source should be used?<\/div><input type='hidden' name='question_id[]' id='qID_14' value='486459' \/><input type='hidden' id='answerType486459' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486459[]' id='answer-id-1878791' class='answer   answerof-486459 ' value='1878791'   \/><label for='answer-id-1878791' id='answer-label-1878791' class=' answer'><span>CMDB asset attributes<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486459[]' id='answer-id-1878792' class='answer   answerof-486459 ' value='1878792'   \/><label for='answer-id-1878792' id='answer-label-1878792' class=' answer'><span>Report delivery fields<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486459[]' id='answer-id-1878793' class='answer   answerof-486459 ' value='1878793'   \/><label for='answer-id-1878793' id='answer-label-1878793' class=' answer'><span>Dashboard widget labels<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486459[]' id='answer-id-1878794' class='answer   answerof-486459 ' value='1878794'   \/><label for='answer-id-1878794' id='answer-label-1878794' class=' answer'><span>Notification email names<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-15' style=';'><div id='questionWrap-15'  class='   watupro-question-id-486460'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>15. <\/span>A SOC manager asks for the number of endpoint malware detections per host per hour. <br \/>\r<br>Which FortiSIEM analytic view best fits this request?<\/div><input type='hidden' name='question_id[]' id='qID_15' value='486460' \/><input type='hidden' id='answerType486460' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486460[]' id='answer-id-1878795' class='answer   answerof-486460 ' value='1878795'   \/><label for='answer-id-1878795' id='answer-label-1878795' class=' answer'><span>Raw endpoint logs by time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486460[]' id='answer-id-1878796' class='answer   answerof-486460 ' value='1878796'   \/><label for='answer-id-1878796' id='answer-label-1878796' class=' answer'><span>Endpoint inventory by host<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486460[]' id='answer-id-1878797' class='answer   answerof-486460 ' value='1878797'   \/><label for='answer-id-1878797' id='answer-label-1878797' class=' answer'><span>Host and time-bucket counts<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486460[]' id='answer-id-1878798' class='answer   answerof-486460 ' value='1878798'   \/><label for='answer-id-1878798' id='answer-label-1878798' class=' answer'><span>Incident list by assignee<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-16' style=';'><div id='questionWrap-16'  class='   watupro-question-id-486461'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>16. <\/span>An analyst filters for endpoint malware detections and groups by host. The analyst also wants to know the latest detection time for each host. <br \/>\r<br>Which aggregation should be added?<\/div><input type='hidden' name='question_id[]' id='qID_16' value='486461' \/><input type='hidden' id='answerType486461' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486461[]' id='answer-id-1878799' class='answer   answerof-486461 ' value='1878799'   \/><label for='answer-id-1878799' id='answer-label-1878799' class=' answer'><span>Average raw length<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486461[]' id='answer-id-1878800' class='answer   answerof-486461 ' value='1878800'   \/><label for='answer-id-1878800' id='answer-label-1878800' class=' answer'><span>Count report folders<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486461[]' id='answer-id-1878801' class='answer   answerof-486461 ' value='1878801'   \/><label for='answer-id-1878801' id='answer-label-1878801' class=' answer'><span>Latest event time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486461[]' id='answer-id-1878802' class='answer   answerof-486461 ' value='1878802'   \/><label for='answer-id-1878802' id='answer-label-1878802' class=' answer'><span>Distinct collector count<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-17' style=';'><div id='questionWrap-17'  class='   watupro-question-id-486462'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>17. <\/span>A first search returns users with impossible-travel indicators. A second search should find recent privileged actions performed by those same users. <br \/>\r<br>Which technique is most appropriate?<\/div><input type='hidden' name='question_id[]' id='qID_17' value='486462' \/><input type='hidden' id='answerType486462' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486462[]' id='answer-id-1878803' class='answer   answerof-486462 ' value='1878803'   \/><label for='answer-id-1878803' id='answer-label-1878803' class=' answer'><span>Nested query by user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486462[]' id='answer-id-1878804' class='answer   answerof-486462 ' value='1878804'   \/><label for='answer-id-1878804' id='answer-label-1878804' class=' answer'><span>Export user records<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486462[]' id='answer-id-1878805' class='answer   answerof-486462 ' value='1878805'   \/><label for='answer-id-1878805' id='answer-label-1878805' class=' answer'><span>Sort by device vendor<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486462[]' id='answer-id-1878806' class='answer   answerof-486462 ' value='1878806'   \/><label for='answer-id-1878806' id='answer-label-1878806' class=' answer'><span>Clear the incident view<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-18' style=';'><div id='questionWrap-18'  class='   watupro-question-id-486463'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>18. <\/span>From an incident event, an analyst needs to quickly review recent activity for the same username across multiple devices. <br \/>\r<br>Which action is most efficient?<\/div><input type='hidden' name='question_id[]' id='qID_18' value='486463' \/><input type='hidden' id='answerType486463' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486463[]' id='answer-id-1878807' class='answer   answerof-486463 ' value='1878807'   \/><label for='answer-id-1878807' id='answer-label-1878807' class=' answer'><span>Export the incident history<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486463[]' id='answer-id-1878808' class='answer   answerof-486463 ' value='1878808'   \/><label for='answer-id-1878808' id='answer-label-1878808' class=' answer'><span>Change the rule severity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486463[]' id='answer-id-1878809' class='answer   answerof-486463 ' value='1878809'   \/><label for='answer-id-1878809' id='answer-label-1878809' class=' answer'><span>Open the device monitor<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486463[]' id='answer-id-1878810' class='answer   answerof-486463 ' value='1878810'   \/><label for='answer-id-1878810' id='answer-label-1878810' class=' answer'><span>Pivot on the username<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-19' style=';'><div id='questionWrap-19'  class='   watupro-question-id-486464'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>19. <\/span>An analyst opens an event showing a connection to a suspicious external IP. The analyst wants to know whether other internal hosts contacted the same destination. <br \/>\r<br>What is the best next step?<\/div><input type='hidden' name='question_id[]' id='qID_19' value='486464' \/><input type='hidden' id='answerType486464' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486464[]' id='answer-id-1878811' class='answer   answerof-486464 ' value='1878811'   \/><label for='answer-id-1878811' id='answer-label-1878811' class=' answer'><span>Search the event ID only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486464[]' id='answer-id-1878812' class='answer   answerof-486464 ' value='1878812'   \/><label for='answer-id-1878812' id='answer-label-1878812' class=' answer'><span>Change the event severity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486464[]' id='answer-id-1878813' class='answer   answerof-486464 ' value='1878813'   \/><label for='answer-id-1878813' id='answer-label-1878813' class=' answer'><span>Filter by collector name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486464[]' id='answer-id-1878814' class='answer   answerof-486464 ' value='1878814'   \/><label for='answer-id-1878814' id='answer-label-1878814' class=' answer'><span>Group by source host<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-20' style=';'><div id='questionWrap-20'  class='   watupro-question-id-486465'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>20. <\/span>A lookup table contains approved DNS resolvers. The analyst needs to find internal hosts sending DNS traffic to resolvers outside that list. <br \/>\r<br>Which condition should be used?<\/div><input type='hidden' name='question_id[]' id='qID_20' value='486465' \/><input type='hidden' id='answerType486465' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486465[]' id='answer-id-1878815' class='answer   answerof-486465 ' value='1878815'   \/><label for='answer-id-1878815' id='answer-label-1878815' class=' answer'><span>Match only closed DNS incidents<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486465[]' id='answer-id-1878816' class='answer   answerof-486465 ' value='1878816'   \/><label for='answer-id-1878816' id='answer-label-1878816' class=' answer'><span>Sort DNS events by collector<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486465[]' id='answer-id-1878817' class='answer   answerof-486465 ' value='1878817'   \/><label for='answer-id-1878817' id='answer-label-1878817' class=' answer'><span>Filter DNS logs by severity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486465[]' id='answer-id-1878818' class='answer   answerof-486465 ' value='1878818'   \/><label for='answer-id-1878818' id='answer-label-1878818' class=' answer'><span>Exclude approved lookup values<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-21' style=';'><div id='questionWrap-21'  class='   watupro-question-id-486466'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>21. <\/span>A search shows a high number of failed logins from a single source IP. The analyst needs to know whether it targeted many users or repeatedly targeted one user. <br \/>\r<br>Which result view best answers this?<\/div><input type='hidden' name='question_id[]' id='qID_21' value='486466' \/><input type='hidden' id='answerType486466' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486466[]' id='answer-id-1878819' class='answer   answerof-486466 ' value='1878819'   \/><label for='answer-id-1878819' id='answer-label-1878819' class=' answer'><span>Sort by receive time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486466[]' id='answer-id-1878820' class='answer   answerof-486466 ' value='1878820'   \/><label for='answer-id-1878820' id='answer-label-1878820' class=' answer'><span>Group by device type<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486466[]' id='answer-id-1878821' class='answer   answerof-486466 ' value='1878821'   \/><label for='answer-id-1878821' id='answer-label-1878821' class=' answer'><span>Display raw message only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486466[]' id='answer-id-1878822' class='answer   answerof-486466 ' value='1878822'   \/><label for='answer-id-1878822' id='answer-label-1878822' class=' answer'><span>Count distinct users<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-22' style=';'><div id='questionWrap-22'  class='   watupro-question-id-486467'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>22. <\/span>An analyst builds a lookup-based search for known malicious IPs. The search returns no matches, but the analyst sees the same IPs in raw events. <br \/>\r<br>What is the most likely issue to check first?<\/div><input type='hidden' name='question_id[]' id='qID_22' value='486467' \/><input type='hidden' id='answerType486467' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486467[]' id='answer-id-1878823' class='answer   answerof-486467 ' value='1878823'   \/><label for='answer-id-1878823' id='answer-label-1878823' class=' answer'><span>Incident owner mismatch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486467[]' id='answer-id-1878824' class='answer   answerof-486467 ' value='1878824'   \/><label for='answer-id-1878824' id='answer-label-1878824' class=' answer'><span>Field format mismatch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486467[]' id='answer-id-1878825' class='answer   answerof-486467 ' value='1878825'   \/><label for='answer-id-1878825' id='answer-label-1878825' class=' answer'><span>Report output mismatch<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486467[]' id='answer-id-1878826' class='answer   answerof-486467 ' value='1878826'   \/><label for='answer-id-1878826' id='answer-label-1878826' class=' answer'><span>Dashboard widget mismatch<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-23' style=';'><div id='questionWrap-23'  class='   watupro-question-id-486468'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>23. <\/span>During an investigation, an analyst needs to find users who logged in successfully after multiple failures from the same source within a short period. <br \/>\r<br>Which search strategy best fits the pattern?<\/div><input type='hidden' name='question_id[]' id='qID_23' value='486468' \/><input type='hidden' id='answerType486468' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486468[]' id='answer-id-1878827' class='answer   answerof-486468 ' value='1878827'   \/><label for='answer-id-1878827' id='answer-label-1878827' class=' answer'><span>Search only success events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486468[]' id='answer-id-1878828' class='answer   answerof-486468 ' value='1878828'   \/><label for='answer-id-1878828' id='answer-label-1878828' class=' answer'><span>Search only failure events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486468[]' id='answer-id-1878829' class='answer   answerof-486468 ' value='1878829'   \/><label for='answer-id-1878829' id='answer-label-1878829' class=' answer'><span>Correlate both outcomes<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486468[]' id='answer-id-1878830' class='answer   answerof-486468 ' value='1878830'   \/><label for='answer-id-1878830' id='answer-label-1878830' class=' answer'><span>Group by collector only<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-24' style=';'><div id='questionWrap-24'  class='   watupro-question-id-486469'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>24. <\/span>A rule should identify a source IP that fails authentication against more than 20 unique accounts. <br \/>\r<br>Which aggregation is required?<\/div><input type='hidden' name='question_id[]' id='qID_24' value='486469' \/><input type='hidden' id='answerType486469' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486469[]' id='answer-id-1878831' class='answer   answerof-486469 ' value='1878831'   \/><label for='answer-id-1878831' id='answer-label-1878831' class=' answer'><span>Distinct account count<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486469[]' id='answer-id-1878832' class='answer   answerof-486469 ' value='1878832'   \/><label for='answer-id-1878832' id='answer-label-1878832' class=' answer'><span>Latest failure time<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486469[]' id='answer-id-1878833' class='answer   answerof-486469 ' value='1878833'   \/><label for='answer-id-1878833' id='answer-label-1878833' class=' answer'><span>Average event severity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486469[]' id='answer-id-1878834' class='answer   answerof-486469 ' value='1878834'   \/><label for='answer-id-1878834' id='answer-label-1878834' class=' answer'><span>Target host count<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-25' style=';'><div id='questionWrap-25'  class='   watupro-question-id-486470'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>25. <\/span>A rule creates one incident for each destination IP contacted by the same infected host. The SOC wants one incident per infected host instead. <br \/>\r<br>What should be changed?<\/div><input type='hidden' name='question_id[]' id='qID_25' value='486470' \/><input type='hidden' id='answerType486470' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486470[]' id='answer-id-1878835' class='answer   answerof-486470 ' value='1878835'   \/><label for='answer-id-1878835' id='answer-label-1878835' class=' answer'><span>Add a notification delay<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486470[]' id='answer-id-1878836' class='answer   answerof-486470 ' value='1878836'   \/><label for='answer-id-1878836' id='answer-label-1878836' class=' answer'><span>Adjust destination grouping<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486470[]' id='answer-id-1878837' class='answer   answerof-486470 ' value='1878837'   \/><label for='answer-id-1878837' id='answer-label-1878837' class=' answer'><span>Raise the event threshold<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486470[]' id='answer-id-1878838' class='answer   answerof-486470 ' value='1878838'   \/><label for='answer-id-1878838' id='answer-label-1878838' class=' answer'><span>Change incident severity<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-26' style=';'><div id='questionWrap-26'  class='   watupro-question-id-486471'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>26. <\/span>A correlation rule has two subpatterns, but the second subpattern matches events from any host instead of the host found in the first subpattern. <br \/>\r<br>What is missing?<\/div><input type='hidden' name='question_id[]' id='qID_26' value='486471' \/><input type='hidden' id='answerType486471' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486471[]' id='answer-id-1878839' class='answer   answerof-486471 ' value='1878839'   \/><label for='answer-id-1878839' id='answer-label-1878839' class=' answer'><span>A clear-condition timer<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486471[]' id='answer-id-1878840' class='answer   answerof-486471 ' value='1878840'   \/><label for='answer-id-1878840' id='answer-label-1878840' class=' answer'><span>A notification template<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486471[]' id='answer-id-1878841' class='answer   answerof-486471 ' value='1878841'   \/><label for='answer-id-1878841' id='answer-label-1878841' class=' answer'><span>A shared field constraint<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486471[]' id='answer-id-1878842' class='answer   answerof-486471 ' value='1878842'   \/><label for='answer-id-1878842' id='answer-label-1878842' class=' answer'><span>A report output filter<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-27' style=';'><div id='questionWrap-27'  class='   watupro-question-id-486472'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>27. <\/span>A search for failed logins grouped by username shows separate rows for variations such as jsmith, JSMITH, and domainjsmith. <br \/>\r<br>What should the analyst consider?<\/div><input type='hidden' name='question_id[]' id='qID_27' value='486472' \/><input type='hidden' id='answerType486472' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486472[]' id='answer-id-1878843' class='answer   answerof-486472 ' value='1878843'   \/><label for='answer-id-1878843' id='answer-label-1878843' class=' answer'><span>Report export tuning<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486472[]' id='answer-id-1878844' class='answer   answerof-486472 ' value='1878844'   \/><label for='answer-id-1878844' id='answer-label-1878844' class=' answer'><span>Normalized identity fields<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486472[]' id='answer-id-1878845' class='answer   answerof-486472 ' value='1878845'   \/><label for='answer-id-1878845' id='answer-label-1878845' class=' answer'><span>Collector disk usage<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486472[]' id='answer-id-1878846' class='answer   answerof-486472 ' value='1878846'   \/><label for='answer-id-1878846' id='answer-label-1878846' class=' answer'><span>Dashboard permissions<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-28' style=';'><div id='questionWrap-28'  class='   watupro-question-id-486473'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>28. <\/span>An analyst is investigating successful administrative logons. The search must include only accounts that belong to privileged groups. <br \/>\r<br>Which data source should provide that context?<\/div><input type='hidden' name='question_id[]' id='qID_28' value='486473' \/><input type='hidden' id='answerType486473' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486473[]' id='answer-id-1878847' class='answer   answerof-486473 ' value='1878847'   \/><label for='answer-id-1878847' id='answer-label-1878847' class=' answer'><span>Report output settings<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486473[]' id='answer-id-1878848' class='answer   answerof-486473 ' value='1878848'   \/><label for='answer-id-1878848' id='answer-label-1878848' class=' answer'><span>Identity enrichment data<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486473[]' id='answer-id-1878849' class='answer   answerof-486473 ' value='1878849'   \/><label for='answer-id-1878849' id='answer-label-1878849' class=' answer'><span>Collector status history<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486473[]' id='answer-id-1878850' class='answer   answerof-486473 ' value='1878850'   \/><label for='answer-id-1878850' id='answer-label-1878850' class=' answer'><span>Notification policy logs<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-29' style=';'><div id='questionWrap-29'  class='   watupro-question-id-486474'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>29. <\/span>A SOC analyst is hunting for lateral movement. The first search finds hosts with suspicious administrative logons. The second search should identify SMB connections from those same hosts. <br \/>\r<br>Which field should be passed from the first search?<\/div><input type='hidden' name='question_id[]' id='qID_29' value='486474' \/><input type='hidden' id='answerType486474' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486474[]' id='answer-id-1878851' class='answer   answerof-486474 ' value='1878851'   \/><label for='answer-id-1878851' id='answer-label-1878851' class=' answer'><span>Source host<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486474[]' id='answer-id-1878852' class='answer   answerof-486474 ' value='1878852'   \/><label for='answer-id-1878852' id='answer-label-1878852' class=' answer'><span>Report name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486474[]' id='answer-id-1878853' class='answer   answerof-486474 ' value='1878853'   \/><label for='answer-id-1878853' id='answer-label-1878853' class=' answer'><span>Incident owner<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486474[]' id='answer-id-1878854' class='answer   answerof-486474 ' value='1878854'   \/><label for='answer-id-1878854' id='answer-label-1878854' class=' answer'><span>Parser version<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-30' style=';'><div id='questionWrap-30'  class='   watupro-question-id-486475'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>30. <\/span>A lookup table stores approved administrative jump hosts. An analyst wants to detect privileged logons that did not originate from those hosts. <br \/>\r<br>Which condition should be used?<\/div><input type='hidden' name='question_id[]' id='qID_30' value='486475' \/><input type='hidden' id='answerType486475' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486475[]' id='answer-id-1878855' class='answer   answerof-486475 ' value='1878855'   \/><label for='answer-id-1878855' id='answer-label-1878855' class=' answer'><span>Match approved hosts only<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486475[]' id='answer-id-1878856' class='answer   answerof-486475 ' value='1878856'   \/><label for='answer-id-1878856' id='answer-label-1878856' class=' answer'><span>Exclude approved hosts<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486475[]' id='answer-id-1878857' class='answer   answerof-486475 ' value='1878857'   \/><label for='answer-id-1878857' id='answer-label-1878857' class=' answer'><span>Sort by jump host name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486475[]' id='answer-id-1878858' class='answer   answerof-486475 ' value='1878858'   \/><label for='answer-id-1878858' id='answer-label-1878858' class=' answer'><span>Hide source host field<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-31' style=';'><div id='questionWrap-31'  class='   watupro-question-id-486476'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>31. <\/span>A search using a lookup table matches too many internal IPs because the table contains broad subnet ranges. <br \/>\r<br>What should the analyst refine?<\/div><input type='hidden' name='question_id[]' id='qID_31' value='486476' \/><input type='hidden' id='answerType486476' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486476[]' id='answer-id-1878859' class='answer   answerof-486476 ' value='1878859'   \/><label for='answer-id-1878859' id='answer-label-1878859' class=' answer'><span>Incident priority<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486476[]' id='answer-id-1878860' class='answer   answerof-486476 ' value='1878860'   \/><label for='answer-id-1878860' id='answer-label-1878860' class=' answer'><span>Lookup scope<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486476[]' id='answer-id-1878861' class='answer   answerof-486476 ' value='1878861'   \/><label for='answer-id-1878861' id='answer-label-1878861' class=' answer'><span>Report schedule<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486476[]' id='answer-id-1878862' class='answer   answerof-486476 ' value='1878862'   \/><label for='answer-id-1878862' id='answer-label-1878862' class=' answer'><span>Parser status<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-32' style=';'><div id='questionWrap-32'  class='   watupro-question-id-486477'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>32. <\/span>A SOC team wants a rule to detect hosts that first generate endpoint malware events and then make outbound connections to suspicious countries. <br \/>\r<br>Which rule design is strongest?<\/div><input type='hidden' name='question_id[]' id='qID_32' value='486477' \/><input type='hidden' id='answerType486477' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486477[]' id='answer-id-1878863' class='answer   answerof-486477 ' value='1878863'   \/><label for='answer-id-1878863' id='answer-label-1878863' class=' answer'><span>Endpoint-only rule with host count<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486477[]' id='answer-id-1878864' class='answer   answerof-486477 ' value='1878864'   \/><label for='answer-id-1878864' id='answer-label-1878864' class=' answer'><span>Two linked subpatterns<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486477[]' id='answer-id-1878865' class='answer   answerof-486477 ' value='1878865'   \/><label for='answer-id-1878865' id='answer-label-1878865' class=' answer'><span>Firewall-only rule with country group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486477[]' id='answer-id-1878866' class='answer   answerof-486477 ' value='1878866'   \/><label for='answer-id-1878866' id='answer-label-1878866' class=' answer'><span>Lookup-only country filter<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-33' style=';'><div id='questionWrap-33'  class='   watupro-question-id-486478'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>33. <\/span>A correlation rule is designed to detect five failures followed by one success. Testing shows the events match individually, but the rule does not trigger because the success occurs after the current evaluation period. <br \/>\r<br>What should be adjusted?<\/div><input type='hidden' name='question_id[]' id='qID_33' value='486478' \/><input type='hidden' id='answerType486478' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486478[]' id='answer-id-1878867' class='answer   answerof-486478 ' value='1878867'   \/><label for='answer-id-1878867' id='answer-label-1878867' class=' answer'><span>Group-by field order<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486478[]' id='answer-id-1878868' class='answer   answerof-486478 ' value='1878868'   \/><label for='answer-id-1878868' id='answer-label-1878868' class=' answer'><span>Lookup table scope<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486478[]' id='answer-id-1878869' class='answer   answerof-486478 ' value='1878869'   \/><label for='answer-id-1878869' id='answer-label-1878869' class=' answer'><span>Incident clear method<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486478[]' id='answer-id-1878870' class='answer   answerof-486478 ' value='1878870'   \/><label for='answer-id-1878870' id='answer-label-1878870' class=' answer'><span>Rule time window<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-34' style=';'><div id='questionWrap-34'  class='   watupro-question-id-486479'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>34. <\/span>An analyst wants search results to show asset owner and business service next to each affected host. <br \/>\r<br>Where should that context come from?<\/div><input type='hidden' name='question_id[]' id='qID_34' value='486479' \/><input type='hidden' id='answerType486479' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486479[]' id='answer-id-1878871' class='answer   answerof-486479 ' value='1878871'   \/><label for='answer-id-1878871' id='answer-label-1878871' class=' answer'><span>Incident comments<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486479[]' id='answer-id-1878872' class='answer   answerof-486479 ' value='1878872'   \/><label for='answer-id-1878872' id='answer-label-1878872' class=' answer'><span>CMDB enrichment<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486479[]' id='answer-id-1878873' class='answer   answerof-486479 ' value='1878873'   \/><label for='answer-id-1878873' id='answer-label-1878873' class=' answer'><span>Parser error logs<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486479[]' id='answer-id-1878874' class='answer   answerof-486479 ' value='1878874'   \/><label for='answer-id-1878874' id='answer-label-1878874' class=' answer'><span>Email templates<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-35' style=';'><div id='questionWrap-35'  class='   watupro-question-id-486480'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>35. <\/span>An analyst wants to detect accounts that had several failed logins followed by a successful login from the same source. <br \/>\r<br>Which analytic approach is most suitable?<\/div><input type='hidden' name='question_id[]' id='qID_35' value='486480' \/><input type='hidden' id='answerType486480' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486480[]' id='answer-id-1878875' class='answer   answerof-486480 ' value='1878875'   \/><label for='answer-id-1878875' id='answer-label-1878875' class=' answer'><span>Correlate both outcomes<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486480[]' id='answer-id-1878876' class='answer   answerof-486480 ' value='1878876'   \/><label for='answer-id-1878876' id='answer-label-1878876' class=' answer'><span>Hide success events<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486480[]' id='answer-id-1878877' class='answer   answerof-486480 ' value='1878877'   \/><label for='answer-id-1878877' id='answer-label-1878877' class=' answer'><span>Sort failures by user<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486480[]' id='answer-id-1878878' class='answer   answerof-486480 ' value='1878878'   \/><label for='answer-id-1878878' id='answer-label-1878878' class=' answer'><span>Group by collector only<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-36' style=';'><div id='questionWrap-36'  class='   watupro-question-id-486481'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>36. <\/span>An analyst needs to compare authentication failures across business units. Business unit information is stored as an asset attribute. <br \/>\r<br>Which search result design is best?<\/div><input type='hidden' name='question_id[]' id='qID_36' value='486481' \/><input type='hidden' id='answerType486481' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486481[]' id='answer-id-1878879' class='answer   answerof-486481 ' value='1878879'   \/><label for='answer-id-1878879' id='answer-label-1878879' class=' answer'><span>Sort events by raw message<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486481[]' id='answer-id-1878880' class='answer   answerof-486481 ' value='1878880'   \/><label for='answer-id-1878880' id='answer-label-1878880' class=' answer'><span>Filter by collector uptime<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486481[]' id='answer-id-1878881' class='answer   answerof-486481 ' value='1878881'   \/><label for='answer-id-1878881' id='answer-label-1878881' class=' answer'><span>Display only incident names<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486481[]' id='answer-id-1878882' class='answer   answerof-486481 ' value='1878882'   \/><label for='answer-id-1878882' id='answer-label-1878882' class=' answer'><span>Group by CMDB attribute<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-37' style=';'><div id='questionWrap-37'  class='   watupro-question-id-486482'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>37. <\/span>An analyst finds suspicious logon events and then needs to search for outbound connections made later by the same hosts. <br \/>\r<br>Which feature best reduces manual pivoting?<\/div><input type='hidden' name='question_id[]' id='qID_37' value='486482' \/><input type='hidden' id='answerType486482' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486482[]' id='answer-id-1878883' class='answer   answerof-486482 ' value='1878883'   \/><label for='answer-id-1878883' id='answer-label-1878883' class=' answer'><span>Scheduled report output<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486482[]' id='answer-id-1878884' class='answer   answerof-486482 ' value='1878884'   \/><label for='answer-id-1878884' id='answer-label-1878884' class=' answer'><span>Device inventory import<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486482[]' id='answer-id-1878885' class='answer   answerof-486482 ' value='1878885'   \/><label for='answer-id-1878885' id='answer-label-1878885' class=' answer'><span>Incident owner change<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486482[]' id='answer-id-1878886' class='answer   answerof-486482 ' value='1878886'   \/><label for='answer-id-1878886' id='answer-label-1878886' class=' answer'><span>Nested query lookup<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-38' style=';'><div id='questionWrap-38'  class='   watupro-question-id-486483'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>38. <\/span>A query groups web proxy events by URL category and counts events. The SOC lead wants to know which users accessed risky categories. <br \/>\r<br>What should be added to the grouping?<\/div><input type='hidden' name='question_id[]' id='qID_38' value='486483' \/><input type='hidden' id='answerType486483' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486483[]' id='answer-id-1878887' class='answer   answerof-486483 ' value='1878887'   \/><label for='answer-id-1878887' id='answer-label-1878887' class=' answer'><span>Report creator<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486483[]' id='answer-id-1878888' class='answer   answerof-486483 ' value='1878888'   \/><label for='answer-id-1878888' id='answer-label-1878888' class=' answer'><span>Collector version<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486483[]' id='answer-id-1878889' class='answer   answerof-486483 ' value='1878889'   \/><label for='answer-id-1878889' id='answer-label-1878889' class=' answer'><span>User identity<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486483[]' id='answer-id-1878890' class='answer   answerof-486483 ' value='1878890'   \/><label for='answer-id-1878890' id='answer-label-1878890' class=' answer'><span>Incident status<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-39' style=';'><div id='questionWrap-39'  class='   watupro-question-id-486484'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>39. <\/span>A search uses CMDB location data to group failed logins by office. One office shows unexpectedly high failures. <br \/>\r<br>What is the best next analytic pivot?<\/div><input type='hidden' name='question_id[]' id='qID_39' value='486484' \/><input type='hidden' id='answerType486484' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486484[]' id='answer-id-1878891' class='answer   answerof-486484 ' value='1878891'   \/><label for='answer-id-1878891' id='answer-label-1878891' class=' answer'><span>Drill into users and hosts<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486484[]' id='answer-id-1878892' class='answer   answerof-486484 ' value='1878892'   \/><label for='answer-id-1878892' id='answer-label-1878892' class=' answer'><span>Change collector protocol<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486484[]' id='answer-id-1878893' class='answer   answerof-486484 ' value='1878893'   \/><label for='answer-id-1878893' id='answer-label-1878893' class=' answer'><span>Rename the office group<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486484[]' id='answer-id-1878894' class='answer   answerof-486484 ' value='1878894'   \/><label for='answer-id-1878894' id='answer-label-1878894' class=' answer'><span>Disable office enrichment<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div class='watu-question ' id='question-40' style=';'><div id='questionWrap-40'  class='   watupro-question-id-486485'>\n\t\t\t<div class='question-content'><div><span class='watupro_num'>40. <\/span>A FortiSIEM analyst is investigating suspicious endpoint activity. A first search identifies hosts with malware events. A second search must find logons by the same users on other hosts. <br \/>\r<br>Which value should be carried into the next query?<\/div><input type='hidden' name='question_id[]' id='qID_40' value='486485' \/><input type='hidden' id='answerType486485' value='radio'><!-- end question-content--><\/div><div class='question-choices watupro-choices-columns '><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486485[]' id='answer-id-1878895' class='answer   answerof-486485 ' value='1878895'   \/><label for='answer-id-1878895' id='answer-label-1878895' class=' answer'><span>Username<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486485[]' id='answer-id-1878896' class='answer   answerof-486485 ' value='1878896'   \/><label for='answer-id-1878896' id='answer-label-1878896' class=' answer'><span>Report title<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486485[]' id='answer-id-1878897' class='answer   answerof-486485 ' value='1878897'   \/><label for='answer-id-1878897' id='answer-label-1878897' class=' answer'><span>Collector name<\/span><\/label><\/div><div class='watupro-question-choice  ' dir='auto' ><input type='radio' name='answer-486485[]' id='answer-id-1878898' class='answer   answerof-486485 ' value='1878898'   \/><label for='answer-id-1878898' id='answer-label-1878898' class=' answer'><span>Event severity color<\/span><\/label><\/div><!-- end question-choices--><\/div><!-- end questionWrap--><\/div><\/div><div style='display:none' id='question-41'>\n\t<div class='question-content'>\n\t\t<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/img\/loading.gif\" width=\"16\" height=\"16\" alt=\"Loading...\" title=\"Loading...\" \/>&nbsp;Loading...\t<\/div>\n<\/div>\n\n<br \/>\n\t\n\t\t\t<div class=\"watupro_buttons flex \" id=\"watuPROButtons12498\" >\n\t\t  <div id=\"prev-question\" style=\"display:none;\"><input type=\"button\" value=\"&lt; Previous\" onclick=\"WatuPRO.nextQuestion(event, 'previous');\"\/><\/div>\t\t  \t\t  \t\t   \n\t\t   \t  \t\t<div><input type=\"button\" name=\"action\" class=\"watupro-submit-button\" onclick=\"WatuPRO.submitResult(event)\" id=\"action-button\" value=\"View Results\"  \/>\n\t\t<\/div>\n\t\t<\/div>\n\t\t\n\t<input type=\"hidden\" name=\"quiz_id\" value=\"12498\" id=\"watuPROExamID\"\/>\n\t<input type=\"hidden\" name=\"start_time\" id=\"startTime\" value=\"2026-06-09 10:16:53\" \/>\n\t<input type=\"hidden\" name=\"start_timestamp\" id=\"startTimeStamp\" value=\"1781000213\" \/>\n\t<input type=\"hidden\" name=\"question_ids\" value=\"\" \/>\n\t<input type=\"hidden\" name=\"watupro_questions\" value=\"486446:1878739,1878740,1878741,1878742 | 486447:1878743,1878744,1878745,1878746 | 486448:1878747,1878748,1878749,1878750 | 486449:1878751,1878752,1878753,1878754 | 486450:1878755,1878756,1878757,1878758 | 486451:1878759,1878760,1878761,1878762 | 486452:1878763,1878764,1878765,1878766 | 486453:1878767,1878768,1878769,1878770 | 486454:1878771,1878772,1878773,1878774 | 486455:1878775,1878776,1878777,1878778 | 486456:1878779,1878780,1878781,1878782 | 486457:1878783,1878784,1878785,1878786 | 486458:1878787,1878788,1878789,1878790 | 486459:1878791,1878792,1878793,1878794 | 486460:1878795,1878796,1878797,1878798 | 486461:1878799,1878800,1878801,1878802 | 486462:1878803,1878804,1878805,1878806 | 486463:1878807,1878808,1878809,1878810 | 486464:1878811,1878812,1878813,1878814 | 486465:1878815,1878816,1878817,1878818 | 486466:1878819,1878820,1878821,1878822 | 486467:1878823,1878824,1878825,1878826 | 486468:1878827,1878828,1878829,1878830 | 486469:1878831,1878832,1878833,1878834 | 486470:1878835,1878836,1878837,1878838 | 486471:1878839,1878840,1878841,1878842 | 486472:1878843,1878844,1878845,1878846 | 486473:1878847,1878848,1878849,1878850 | 486474:1878851,1878852,1878853,1878854 | 486475:1878855,1878856,1878857,1878858 | 486476:1878859,1878860,1878861,1878862 | 486477:1878863,1878864,1878865,1878866 | 486478:1878867,1878868,1878869,1878870 | 486479:1878871,1878872,1878873,1878874 | 486480:1878875,1878876,1878877,1878878 | 486481:1878879,1878880,1878881,1878882 | 486482:1878883,1878884,1878885,1878886 | 486483:1878887,1878888,1878889,1878890 | 486484:1878891,1878892,1878893,1878894 | 486485:1878895,1878896,1878897,1878898\" \/>\n\t<input type=\"hidden\" name=\"no_ajax\" value=\"0\">\t\t\t<\/form>\n\t<p>&nbsp;<\/p>\n<\/div>\n\n<script type=\"text\/javascript\">\n\/\/jQuery(document).ready(function(){\ndocument.addEventListener(\"DOMContentLoaded\", function(event) { \t\nvar question_ids = \"486446,486447,486448,486449,486450,486451,486452,486453,486454,486455,486456,486457,486458,486459,486460,486461,486462,486463,486464,486465,486466,486467,486468,486469,486470,486471,486472,486473,486474,486475,486476,486477,486478,486479,486480,486481,486482,486483,486484,486485\";\nWatuPROSettings[12498] = {};\nWatuPRO.qArr = question_ids.split(',');\nWatuPRO.exam_id = 12498;\t    \nWatuPRO.post_id = 128179;\nWatuPRO.store_progress = 0;\nWatuPRO.curCatPage = 1;\nWatuPRO.requiredIDs=\"0\".split(\",\");\nWatuPRO.hAppID = \"0.70465000 1781000213\";\nvar url = \"https:\/\/www.dumpsbase.com\/freedumps\/wp-content\/plugins\/watupro\/show_exam.php\";\nWatuPRO.examMode = 1;\nWatuPRO.siteURL=\"https:\/\/www.dumpsbase.com\/freedumps\/wp-admin\/admin-ajax.php\";\nWatuPRO.emailIsNotRequired = 0;\nWatuPROIntel.init(12498);\nWatuPRO.inCategoryPages=1;});    \t \n<\/script>\n","protected":false},"excerpt":{"rendered":"<p>The Fortinet NSE 6 &#8211; FortiSIEM 7.4 Analyst (NSE6_FSM_AN-7.4) is available for your FCSS &#8211; Security Operations certification track. Details can be found in our article \u201cNSE6_FSM_AN-7.4 Exam Dumps: Fortinet NSE 6 &#8211; FortiSIEM 7.4 Analyst Practice Questions and Update System Overview 2026\u201d. You can trust that we have the latest NSE6_FSM_AN-7.4 dumps (V8.02) with [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[17099,189,3249],"tags":[21319,21320],"class_list":["post-128179","post","type-post","status-publish","format-standard","hentry","category-fcss-in-security-operations","category-fortinet","category-nse6","tag-nse6_fsm_an-7-4","tag-nse6_fsm_an-7-4-exam-dumps"],"_links":{"self":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128179","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/comments?post=128179"}],"version-history":[{"count":2,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128179\/revisions"}],"predecessor-version":[{"id":128181,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/posts\/128179\/revisions\/128181"}],"wp:attachment":[{"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/media?parent=128179"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/categories?post=128179"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dumpsbase.com\/freedumps\/wp-json\/wp\/v2\/tags?post=128179"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}