Fortinet NSE7_SOC_AR-7.6 Exam - Topic 2 Question 1 Discussion

Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:

According to the FortiAnalyzer 7.4 SOC Analyst official training material (Lesson 5: Automation) and supporting documentation for FortiSOAR 7.6 and FortiSIEM 7.3 integration, the following best practices are recommended for playbook portability:

Disable playbooks before exporting (A): When a playbook is exported, its current status (Enabled or Disabled) is preserved in the export file. If an Enabled playbook is imported into a destination ADOM where its trigger conditions are immediately met, it will start executing automatically. Disabling the playbook before export is a critical best practice to prevent unintended automated actions from occurring in the new environment before the analyst has had a chance to verify local configurations.

Include the associated connector settings (B): FortiAnalyzer allows you to include required connector configurations during the export process. By selecting this option, the exported file includes the necessary metadata and configurations for the connectors that the playbook relies on to execute its tasks. This ensures the playbook remains functional and portable across different FortiAnalyzer units or ADOMs without requiring the manual recreation of every connector.

Why other options are incorrect:

Move playbooks between ADOMs (C): There is no native 'Move' function for automation playbooks between ADOMs in the same sense as moving a device. The standard supported workflow for transferring automation logic is the Export and Import process.

Ensure names do not exist in target (D): While maintaining unique names is good practice, it is not a required 'best practice' for the export process itself because FortiAnalyzer automatically handles name conflicts. If an imported playbook shares a name with an existing one, the system automatically appends a timestamp to the new playbook's name to avoid a conflict.