FCSS_ADA_AR-6.7 Questions and Answers

TheLookupTableHasfunction is used tocheck whether a specified key exists in a lookup table. It returnseither true or false, depending on whether the key is found in the table.

● If the key is present, the function returnstrue.

● If the key is absent, the function returnsfalse.

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS

Collaborative knowledge sharing: FortiSOAR enables security teams to share knowledge, automate workflows, and improve incident response efficiency by centralizing intelligence and standardizing processes.

Addressing analyst skills gap: By automating repetitive tasks and providing guided response playbooks, FortiSOAR helps SOC teams compensate for skill shortages and improve operational effectiveness.

Reducing human error: Automation and predefined workflows minimize manual interventions, reducing the likelihood of errors in incident detection, response, and remediation.

FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.

The administrator is running an analytic search that groups results bySource IP, Reporting IP, and User, and filters only those with aCOUNT >= 3.

Looking at the data:

●Adminhas three failed attempts from thesame Source IP (203.0.113.4)andReporting IP (10.0.1.99).

●JanandSarahappear onlyonce or twicein the dataset.

●Tomhasmultiple entries, but they are fromdifferent Source IPs and Reporting IPs, meaning they are not counted as three under the same group.

FortiSIEMcollectorsare responsible forgathering logsfrom devices andforwarding themto the FortiSIEM cluster. Their communication with the cluster follows these key principles:

●Collectors periodically communicate with the supervisor node.

● This allows them toreport status, receive updates, and verify configurations.

●The supervisor periodically checks the health of the collector.

● Thesupervisor monitors the collector’s uptime, connectivity, and performance.

●Collectors upload event data to worker nodes but report health to the supervisor.

●Event logs are uploaded to worker nodesas per theworker upload list, ensuring distributed event processing.

●Health status is always reported directly to the supervisorfor centralized monitoring.

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session)represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112)represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112)represents the historical standard deviation over the same period.

AZ-score ≥ 3indicates that the current firewall session rate issignificantly higherthan the historical average (3 standard deviations above the mean), signaling ananomaly.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.

TheWindows agent (fortibank_dc.fortibank.net)is in an"Unmanaged"state, which indicates that it has not received amonitoring templatefrom FortiSIEM. Without a template, the agent does not know what logs to collect or forward, meaning it isnot sending logs to the supervisor.

Theagent is registered, meaning it has completed the installation and connection process. Since it isunmanaged, it isnot actively monitoredor configured to send logs. To resolve this, the administrator mustassign a monitoring templateto enable proper log forwarding.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

Guaranteed Allocation:50 + 100 + 150 = 300 EPS

Actual (Incoming) Usage:25 + 50 + 75 = 150 EPS→ Unused from guarantees = 300 − 150 = 150 EPS

Burst Capacity (Licensed minus Guaranteed):520 − 300 = 220 EPS

Total Unused Capacity:150 + 220 = 370 EPS

As a Percentage of Licensed EPS:370/520 ≈ 71.15% → reported (after conversion/rounding) as ~71.460