Fortinet NSE 5 - FortiEDR 5.0

Here you have the best Fortinet NSE5_EDR-5.0 practice exam questions

You have 44 total questions to study from
Each page has 5 questions, making a total of 9 pages
You can navigate through the pages using the buttons at the bottom
This questions were last updated on May 14, 2025
This site is not affiliated with or endorsed by Fortinet.

Question 1 of 44

What is true about classifications assigned by Fortinet Cloud Service (FCS)?

FCS revises the classification of the core based on its database.

The core only assigns a classification if FCS is not available.

FCS is responsible for all classifications.

The core is responsible for all classifications if FCS playbooks are disabled.

Correct Answer: A

FCS revises the classification of the core based on its database. This statement reflects that Fortinet Cloud Service uses its database to update and refine the classifications. This implies an ongoing process where FCS is integral to ensuring the classifications are current and accurate.

Question 2 of 44

Based on the forensics data shown in the exhibit, which two statements are true? (Choose two.)

The device cannot be remediated.

The execution prevention policy has blocked this event.

The event was blocked because the certificate is unsigned.

Device C8092231196 has been isolated.

Correct Answer: A, B

The device cannot be remediated because the 'Remediate' button is greyed out, indicating that remediation is not possible in this instance. Additionally, the event was blocked by the execution prevention policy, as indicated by the red block icon in the event graph, signifying that the malicious action was stopped during its execution phase. There is no indication that the device has been isolated nor is there evidence that the event was blocked solely because the certificate is unsigned.

Question 3 of 44

Refer to the exhibit.

Based on the event shown in the exhibit, which two statements about the event are true? (Choose two.)

The NGAV policy has blocked TestApplication.exe.

FCS classified the event as malicious.

TestApplication.exe is sophisticated malware.

The user was able to launch TestApplication.exe.

Correct Answer: C, D

TestApplication.exe is identified as sophisticated malware based on the triggered Exfiltration Prevention rules, which are invoked after execution, indicating it bypassed the initial detection. This means the user was able to launch TestApplication.exe, as the post-execution rules were applied, signifying the program executed on the system.

Question 4 of 44

How does FortiEDR implement post-infection protection?

By insurance against ransomware

By preventing data exfiltration or encryption even after a breach occurs

By real-time filtering to prevent malware from executing

By using methods used by traditional EDR

Correct Answer: B

FortiEDR implements post-infection protection by preventing data exfiltration or encryption even after a breach occurs. This means that even if an attacker manages to compromise the system, FortiEDR can stop the attacker from accessing or taking the data out of the organization, thereby limiting the damage.

Question 5 of 44

Which scripting language is supported by the FortiEDR action manager?

TCL

Bash

Perl

Python

Correct Answer: D

The scripting language supported by the FortiEDR action manager is Python. Python is widely used in automation and scripting tasks, which makes it a suitable choice for such applications.