01. After integrating FortiEDR with external SIEM tools, an administrator notices that some events are missing from the SIEM dashboard. What is the most likely cause?
a) Core component is prioritizing forensic analysis over event forwarding
b) Endpoint agents are not generating sufficient telemetry for event processing
c) Communication control policies are blocking outbound network connections
d) Event forwarding configuration is incomplete or filtering out specific event types
02. Which two types of data are essential for reconstructing an attack timeline in FortiEDR?
(Choose two.)
a) Process execution logs showing parent-child relationships and timestamps
b) NAT session logs showing address translation activity
c) VLAN segmentation configuration across switching infrastructure devices
d) Routing table updates reflecting network path changes
e) File modification records indicating creation and alteration events
03. During a FortiEDR investigation, an administrator reviews a timeline showing the following sequence:
- A user downloads a file from an external website
- The file spawns a hidden process
- The process modifies system files and initiates outbound connections
Which conclusion best describes this activity?
a) Legitimate application performing routine update and configuration tasks
b) Multi-stage attack involving execution, persistence, and command-and-control communication
c) System maintenance process modifying files and validating external connections
d) Endpoint agent generating false positives due to aggressive detection settings
04. Which two actions help reduce false positives in FortiEDR?
(Choose two.)
a) Remove endpoint monitoring to reduce event generation
b) Ignore low-severity alerts when configuring policies
c) Disable all detection rules to eliminate unnecessary alerts
d) Use Simulation mode to validate policy impact before enforcement
e) Fine-tune detection policies based on observed legitimate behavior patterns
05. A FortiEDR deployment shows a high number of false positives after enabling a new security policy in Prevention mode. What is the most effective first step?
a) Switch the policy to Simulation mode to evaluate and refine behavior
b) Disable all security policies to immediately eliminate false positives
c) Increase Core processing capacity to handle additional event volume
d) Remove endpoint agents from affected systems to stop event generation
06. Which two characteristics distinguish an incident from a single event in FortiEDR?
(Choose two.)
a) Event automatically triggers full forensic investigation workflow
b) Incident provides contextual information linking events across endpoints
c) Incident aggregates multiple related events into a single correlated case
d) Event includes complete attack chain reconstruction by default
e) Event represents only isolated activity without correlation
07. During investigation, an administrator identifies unusual privilege escalation attempts. What is the most likely goal of the attacker?
a) Gaining higher-level access to execute restricted actions on the system
b) Reducing system performance to cause denial-of-service conditions
c) Encrypting files to initiate ransomware attack across endpoints
d) Establishing outbound communication with command-and-control servers
08. Which two conditions can cause FortiEDR to miss detecting malicious activity?
(Choose two.)
a) Static routing entries are misconfigured across network devices
b) Endpoint agents are outdated or not properly functioning on systems
c) VLAN segmentation is incorrectly configured across switching infrastructure
d) Security policies are not configured to detect specific threat behaviors
e) NAT translation rules are incorrectly applied on firewall interfaces
09. An administrator configures a FortiEDR deployment where endpoints connect through a centralized Collector. During peak hours, event processing becomes delayed. Which architectural adjustment would most effectively improve performance?
a) Reduce endpoint monitoring sensitivity to minimize generated events
b) Disable forensic data collection to reduce system processing overhead
c) Deploy additional Collectors to distribute endpoint communication load
d) Modify communication control policies to limit endpoint network activity
10. Which two benefits result from integrating FortiEDR with the broader Fortinet ecosystem?
(Choose two.)
a) Improved threat detection through correlation across multiple security layers
b) Faster incident response using coordinated actions across integrated systems
c) Automatic configuration of network routing across infrastructure devices
d) Replacement of endpoint agents with network-based detection systems
e) Elimination of need for security policies across endpoints
Before you write the Fortinet FortiEDR Administrator (NSE6_EDR_AD-7.0) certification exam, you may have certain doubts in your mind regarding the pattern of the test, the types of questions asked in it, the difficulty level of the questions and time required to complete the questions. These Fortinet Certified Solution Specialist - Secure Access Service Edge (SASE) (FortiEDR Administrator) sample questions and demo exam help you in removing these doubts and prepare you to take the test.
