FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Questions and Answers

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.184: reports and charts can be imported/exported; templates and datasets cannot be exported directly.

Technical Deep Dive: The correct answers are B and C. FortiAnalyzer allows reports and charts to be imported and exported between same-type ADOMs or FortiAnalyzer devices. The guide explicitly says templates and datasets cannot be exported directly. Datasets move only as dependencies of exported charts, not as standalone exportable modules. Therefore, reports and charts are the two modules that match the direct import/export capability described in the guide.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide explains that FortiView provides dashboards for summarized network information, and that the Threats dashboard shows “top threats.” It also states that from a FortiView widget, “you can find more details about a specific entry,” and that the Top Threats widget displays the top threats, including IPS events and related CVE information when available.

Technical Deep Dive: The correct answer is A because the FortiView Top Threats table includes an entry named Apache.Expect.Header.XSS . That threat name directly indicates a cross-site scripting/XSS-related signature associated with Apache. The same row shows the threat type as IPS , meaning FortiAnalyzer is displaying it as an IPS-detected threat event. Therefore, the analyst can reasonably conclude that FortiAnalyzer recorded XSS attack activity against an Apache web server or Apache-related service.

Option B is not supported. The presence of a CVE ID provides vulnerability context, but it does not automatically mean that attack must be prioritized over every other entry. In FortiAnalyzer/FortiView, prioritization depends on threat level, threat score, incident count, affected assets, and SOC impact. In the exhibit, some entries without CVE IDs have higher threat scores and more incidents than the Apache XSS entry.

Option C is wrong because the exhibit itself includes non-IPS threat types, such as Malicious Website and P2P . FortiAnalyzer does not treat only IPS threats as genuine threats. FortiView aggregates multiple security-relevant categories so analysts can review threats across different log and detection types.

Option D is not a safe conclusion. The displayed table does not show a Critical threat level in the visible rows, but that does not prove that no critical threats exist. The view may be filtered, scoped by time, or limited to the currently displayed Top Threats entries. A SOC analyst should not infer total absence of critical threats from a filtered widget alone.

Exact Extract: Study Guide p.211: trigger variables use information from the event or incident trigger in later playbook tasks.

Technical Deep Dive: The correct answer is B. Trigger variables allow a playbook task to reuse values from the event or incident that started the playbook, such as endpoint IP, device, severity, or incident fields. That allows a task to filter a report, get matching logs, or target a response action dynamically. Option A describes monitoring statistics, not variables. Option C reverses the relationship: the trigger starts the playbook, and the variables are then available to tasks. Option D is unrelated to ON_SCHEDULE timing.

Exact Extract: Study Guide p.141: Insert Rate is the rate logs are indexed; Receive Rate is the rate raw logs reach FortiAnalyzer.

Technical Deep Dive: The correct answer is A. At the indicated time, the insert-rate value is higher than the receive-rate value, which means FortiAnalyzer is indexing logs faster than new logs are arriving. This can happen when the database is catching up with previously received logs. Option B is too literal and unsupported; the graph shows rates, not a one-log daemon lead. Option C is wrong because a rebuild is not indicated by a single favorable rate point. Option D would apply when received logs are waiting because indexing is behind, which is the reverse condition.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.168-p.172: templates define layout, while reports include report settings and more configuration.

Technical Deep Dive: The correct answer is A. Reports provide more configuration options because they include the layout/template plus operational settings such as time period, target devices, scheduling, filters, output behavior, and advanced settings. Templates contain the Editor-tab layout elements and do not include basic or advanced report settings. Option B is wrong because both reports and templates can be cloned. Option C is wrong because templates can include macros. Option D is wrong because templates are not mapped to device groups as stated.

Exact Extract: Study Guide p.105-p.106: incident analysis includes audit history, and incident settings/status should be kept up to date.

Technical Deep Dive: The correct answer is A. When an analyst changes an incident status to Closed: False Positive, FortiAnalyzer records the action in the incident audit history. That preserves accountability and allows other analysts to see what changed and why. The corresponding event is not automatically reclassified as mitigated. The incident is not deleted just because it is closed. The incident number remains stable because it is the identifier used to track the case through its lifecycle.

Exact Extract: Study Guide p.59: event logs show system-wide information; application logs are ADOM-specific, and non-root ADOMs show only application logs.

Technical Deep Dive: The correct answers are C and D. FortiAnalyzer local logs include system-wide event logs and ADOM-specific application logs. Because non-root ADOMs show only application logs, system event logs are effectively a root-ADOM visibility item. Option A is wrong because local audit logs are accessible in Log View under ADOMs. Option B overstates playbook visibility; playbook/application logs are ADOM-specific and should not be treated as all centralized in root for every ADOM.

Exact Extract: Study Guide p.120: FortiAI can support incident investigation, response, threat hunting, impact analysis, and remediation recommendations.

Technical Deep Dive: The correct answers are B, C, and E. FortiAI in FortiAnalyzer is designed to assist SOC workflows: interpreting security events, generating incident summaries, identifying possible impacts, recommending remediation, generating queries, and supporting threat hunting. Site-to-site VPN and SD-WAN overlay configuration are FortiGate/FortiManager network configuration tasks, not the FortiAnalyzer FortiAI use cases described in the Analyst guide. The guide keeps FortiAI scoped to FortiAnalyzer security operations and analytics workflows.

Exact Extract: Official Fortinet FortiSIEM MEA guidance: after enabling the Collector MEA, it must be registered to a licensed FortiSIEM Supervisor.

Technical Deep Dive: The correct answer is D. FortiSIEM MEA on FortiAnalyzer functions as a FortiSIEM collector component and must register to a FortiSIEM Supervisor for operation. Option A describes FortiSOAR-style incident lifecycle management more than FortiSIEM MEA. Option B is wrong because the management extension runs on FortiAnalyzer rather than as a dedicated VM for the MEA itself. Option C is inaccurate because Fortinet documents CPU/RAM caps for MEAs, not a 50% disk-space cap as the defining requirement.

Exact Extract: Study Guide p.126: threat hunting is a proactive search for suspicious or risky network activity.

Technical Deep Dive: The correct answer is D. Threat hunting is FortiAnalyzer’s proactive investigation workflow. Instead of waiting for an event handler or incident to tell the SOC what happened, the analyst begins with a hypothesis and searches logs for suspicious patterns. FortiView is valuable for visibility but is not, by itself, the named proactive method. Outbreak alerts notify about emerging threats, and the Incidents dashboard manages known incidents. Threat hunting is the feature that best matches proactive network-security management.

Exact Extract: Study Guide p.82: " Unhandled " means the security event risk is not mitigated or contained, and an IPS/AV pass action is an example.

Technical Deep Dive: The correct answer is B because an IPS log with action=pass means the traffic matched or was observed in a way that generated a security event, but the traffic was not blocked, dropped, or quarantined. FortiAnalyzer therefore treats the event as still open from a SOC workflow perspective. Option A is wrong because quarantine isolates the malicious object and maps to Contained. Options C and D are wrong because dropped or blocked actions mean enforcement already occurred, which maps to Mitigated rather than Unhandled.

Exact Extract: Study Guide p.130: the IOC service uses FortiGuard and analyzes web filtering, DNS, and traffic logs for breach detection.

Technical Deep Dive: The correct answers are B and D. To view compromised hosts, FortiAnalyzer needs relevant logs that expose suspicious destinations or web activity, and it needs current FortiGuard IOC intelligence. Web filtering logs are especially important because they contain URL/domain activity that can be compared with FortiGuard threat intelligence. The FortiGuard subscription keeps the threat database current. Option A may help identify devices in some FortiGate workflows, but it is not the core IOC requirement described in the Analyst guide. Option C is wrong because FortiAnalyzer does not need direct reachability to every endpoint; it evaluates logs received from FortiGate.

Exact Extract: Study Guide p.211: output variables use the output from a preceding task as input to the current task.

Technical Deep Dive: The correct answer is B. The exhibit shows the analyst referencing output from an earlier task, such as a generated report identifier, so a later task can attach that result to an incident. That is an output variable. A trigger variable would pull values from the event or incident that started the playbook. The analyst is not creating the report object itself, nor creating a SOC report definition; the report task has already produced data, and the current task is consuming that output dynamically.

Exact Extract: Study Guide p.82: Mitigated means a security risk was blocked or dropped.

Technical Deep Dive: The correct answer is C. The exhibit shows a mitigated event with blocked web activity, so the accurate statement is that the security risk was blocked. A dropped action would also be a mitigated outcome, but the displayed event specifically indicates blocked. Option B describes Contained status, where the risk source is isolated. Option D is wrong because the event type shown is Web Filter, not application control. Option A is less precise than the exhibit because the action shown is blocked rather than dropped.

Exact Extract: Study Guide p.9: Tier 2 Incident Responder investigates escalated alerts in more depth for response.

Technical Deep Dive: The correct answer is D. When an event is escalated into an incident, the SOC role responsible for deeper handling and response is the incident responder. Tier 1 security analysts handle monitoring and triage. Threat hunters proactively search for complex or hidden threats rather than owning every escalated incident. SOC engineers maintain tools such as SIEM/SOAR platforms but are not the primary incident-handling role. The guide’s SOC role model places escalated response work with the Incident Responder.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that administrators can use CLI commands “to gather log rate and device usage statistics” to understand “the log volume and whether your disk quota is configured appropriately.” It also explains that if log volume is too high, FortiAnalyzer may not be able to retain “analytics logs or archive logs for the amount of time configured in the ADOM.”

Technical Deep Dive: The correct answer is B because the exhibit shows the disk quota allocation for ADOM1 split into two major areas: Logs and Database . Under the ADOM1 row, the Logs quota is shown as 900.0 MB , and the Database quota is shown as 2.1 GB . When these are added together, the total allocated quota for ADOM1 is approximately 3 GB .

Option A is not the best answer because the output does not show that ADOM1 has exactly 300 MB of total disk space remaining. It is true that the Logs section has roughly 299 MB remaining because 900 MB quota minus 601 MB used is about 299 MB. However, the question asks what can be concluded from the whole output, and the output also includes the database quota and database usage. So treating 300 MB as the total remaining ADOM space is incomplete.

Option C is wrong because archive/log-file usage is not greater than analytic/database usage in the output. The Logs section shows about 601 MB used, while the Database section shows about 1.9 GB used. The study guide separates archive logs from analytics logs: archive logs are rolled and compressed log files, while analytics logs are indexed in the SQL database for immediate analysis. Here, the database/analytic side is using more space than the log/archive side.

Option D is wrong because the exhibit showing 0.0 KB for quarantine does not mean no quota is allocated to quarantining files. It only means quarantine usage is currently zero. The output is reporting current disk usage and quota allocation, not proving that quarantine storage is unavailable.

Exact Extract: Study Guide p.157-p.158: report datasets use SQL SELECT queries, and clauses must be in the correct order.

Technical Deep Dive: The correct answer is A. The valid query must select the required fields, read from $log, apply the filter for the source IP, group the selected values, and order the output as expected. Option A follows the SQL structure FortiAnalyzer expects for report datasets. The incorrect options either reverse the filter logic, place clauses in the wrong order, or use malformed aliases/conditions. In FortiAnalyzer reporting, a syntactically correct dataset is mandatory because the chart receives only the data returned by that SQL SELECT query.

Exact Extract: Study Guide p.82: Unhandled means the security event risk is open and not mitigated or contained.

Technical Deep Dive: The correct answer is D. The exhibit shows the event status as Unhandled, which FortiAnalyzer defines as an open security event risk. That means the analyst should not treat the event as already blocked, quarantined, or isolated. Option A cannot be concluded because incident creation is a separate escalation action. Option B maps to Contained, not Unhandled. Option C uses a workflow term that is not the status shown in the event.