Exact Extract: Study Guide p.82: Contained means the risk source is isolated; antivirus quarantine is the example.
Technical Deep Dive: The correct answer is A. An AV log with action=quarantine indicates the detected file or object has been isolated, so FortiAnalyzer classifies the event status as Contained. An IPS action=pass is Unhandled because the risk was not stopped. WebFilter dropped and AppControl blocked are enforcement outcomes, so they align with Mitigated rather than Contained. The distinction matters in SOC triage because Contained still deserves review, but the immediate source/object has already been isolated.
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit