Fortinet NSE7_SOC_AR-7.6 Exam - Topic 1 Question 4 Discussion

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

In FortiSIEM 7.3, the Triggering Events view is a dynamic table that displays the individual logs that caused a specific rule to fire. To manage the visibility of data within this specific view:

Interface Customization: The 'Triggering Events' tab includes a column management feature. By clicking on the column headers or the table settings icon (typically found at the top right of the event list), an analyst can customize the display columns. This allows the user to uncheck the 'Reporting IP' attribute, effectively hiding it from the view without altering the underlying data or rule logic.

Operational Efficiency: This is a common task in environments with a simplified topology where the 'Reporting IP' is redundant information. Customizing the view helps the analyst focus on the most relevant data points, such as 'Source IP,' 'Destination IP,' and 'Destination Port.'

Why other options are incorrect:

A (Incident Action): Clearing a field from the Incident Action configuration affects what data is sent in an email alert or passed to a SOAR platform, but it does not change the layout of the FortiSIEM GUI 'Triggering Events' page.

B (Disable Correlation): Disabling correlation for an attribute determines whether that attribute is used by the rules engine to group events. It does not control the visual display of columns in the incident dashboard.

C (Parsing Rules): Removing attributes via parsing rules is a destructive process that prevents the SIEM from indexing that data entirely. This would make the 'Reporting IP' unavailable for all searches and reports, which is excessive for a simple display preference.