FortiSOAR empowers SOCs in several significant ways. Firstly, it aggregates logs from distributed systems, providing a centralized platform to monitor and analyze security events. This aggregation enhances visibility and simplifies the processes of detection and response. Secondly, FortiSOAR reduces human error by automating repetitive tasks and workflows, which not only minimizes mistakes but also allows security analysts to focus on more critical security issues. Lastly, FortiSOAR addresses the analyst skills gap by offering playbooks and automated processes that guide junior analysts and standardize operations, thus improving the overall efficiency and effectiveness of the SOC.

In the MITRE ATT&CK framework, tactics refer to the adversary's technical objectives or the reasons for performing an action. Reconnaissance and Discovery are two such tactics. Reconnaissance is a tactic that involves gathering information that can be used to plan future operations, while Discovery involves the adversary trying to gain an understanding of the environment. Hence, both Reconnaissance and Discovery are valid tactics in the MITRE ATT&CK framework.

To calculate the unused events for the next three minutes for a 520 EPS license, use the following steps: First, ((520 EPS * 180 seconds) * 1.1) accounts for the guaranteed EPS plus a 10% buffer. This results in a total EPS capacity of 102,960. Then subtract the used EPS (175 EPS * 180 seconds), which equals 31,500. The resulting value is 102,960 - 31,500 = 71,460. Therefore, the correct answer is 71,460.

The XML exhibit shows an incident where a firewall has detected but not remediated a virus. To remediate such an incident, an administrator would typically run a script that blocks the offending IP. The option 'Run the block IP FortiOS 5.4' makes sense because FortiOS 5.4 is a version of the firmware that can handle IP blocking directly within a FortiGate firewall. This is the recommended and appropriate action to counteract the detected issue.

The rule tracks an increase of 1.50 times in the average WMI response times over a 30-minute time window. This can be interpreted as a 150% increase since 1.50 times the original value indicates an increase of 150% above the baseline average response time.