The correct answers are A and B .
The exhibit shows the event classification as Malicious , classified by FortinetCloudServices , and the history states that device R2D2-kvm63 was moved from the Training Collector Group to the High Security Collector Group . This is a Playbook action. The FortiEDR guide explains that after classification changes, the Overview pane displays the history of automatic FortiEDR actions, including Playbook policy-related actions .
The guide specifically lists Move device to High Security Group under Investigation actions in Playbook policies. It states that a checkmark in a classification column means the device is automatically moved to the High Security Collector Group when a security event with that classification is triggered. So the exhibit proves that Playbooks are configured for this event.
The second correct answer is B because the triggered rule is under Training • Extended Detection . The FortiEDR guide states that the eXtended Detection Policy logs events and displays them in the Incidents tab, but no blocking options are provided for this policy.
Option C is wrong because moving a device to the High Security Collector Group is not the same as isolating the device. Isolation would block communication to/from the affected Collector. The exhibit shows a Collector Group move, not isolation.
Option D is wrong because Extended Detection does not block. The guide explicitly says Extended Detection events are logged and displayed, with no blocking options provided.
=========
