NSE 7 – OT Security 6.4 — Question 1

An OT administrator is defining an incident notification policy using FortiSIEM and would like to configure the system with a notification policy. If an incident occurs, the administrator would like to be able to intervene and block an IP address or disable a user in Active Directory from FortiSIEM.
Which step must the administrator take to achieve this task?

Answer options

• A. Configure a fabric connector with a notification policy on FortiSIEM to connect with FortiGate.
• B. Create a notification policy and define a script/remediation on FortiSIEM.
• C. Define a script/remediation on FortiManager and enable a notification rule on FortiSIEM.
• D. Deploy a mitigation script on Active Directory and create a notification policy on FortiSIEM.

Correct answer: B

Explanation

The correct answer is B because creating a notification policy and defining a script/remediation within FortiSIEM allows the administrator to directly respond to incidents. The other options either involve incorrect components, such as FortiManager or Active Directory, or do not directly enable the required response capabilities from FortiSIEM.