Refer to the exhibit.
The exhibit shows the forensics analysis of an event detected by the FortiEDR core.
In this scenario, which statement is correct regarding the threat?
Refer to the exhibit.
The exhibit shows the forensics analysis of an event detected by the FortiEDR core.
In this scenario, which statement is correct regarding the threat?
The exhibit shows an event where a suspicious file, 1.exe, was classified as malicious and attempted to create, open, and write files. The process flow indicates the use of a ransomware attack pattern, as evidenced by the creation and opening actions performed by the 1.exe process and the subsequent launch of suspicious processes. FortiEDR has identified and flagged these malicious actions, as shown by the red alerts. However, the grey 'Block FORTINET' indicator suggests that the blocking action was not actively enforced, meaning the attack was recognized but not successfully stopped. Hence, this is a ransomware attack that has not been stopped by FortiEDR.
Should be D
it has been blocked but not stop
C is the correct answer ! the last rightmost node logo is a file, meaning it is a ransomware attack, and the Block fortinet Logo is grey ( not red) meaning it is a simulated block...the attack was not stopped
A,D not correct, because this is Simulated Block, and the 'block fortinet" is gray. I would go with C https://docs.fortinet.com/document/fortiedr/6.0.0/administration-guide/28226/flow-analyzer-view
B is correct exhibit also shows that the attack is using the Cobalt Strike beacon. Cobalt Strike is a penetration testing tool that can be used for both legitimate and malicious purposes. In this case, the Cobalt Strike beacon is being used to exfiltrate files from the device.
"Block fortinet" is not red, meaning it has not been stopped. C is correct