FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Questions and Answers

From the provided XML configuration, we need to focus on the < GroupByAttr > section, which defines the attributes used for grouping.

In the SelectClause , the following attributes are listed:

reptDevName, reptDevAddr, COUNT(*), COUNT(DISTINCT user), COUNT(DISTINCT srcIpAddr)

● reptDevName represents the reporting device .

● reptDevAddr represents the reporting IP .

● COUNT(DISTINCT user) tracks unique users.

● COUNT(DISTINCT srcIpAddr) tracks distinct source IPs.

In the GroupByAttr section:

< GroupByAttr > reptDevName, reptDevAddr < /GroupByAttr >

This confirms that the grouping is performed by Reporting Device (reptDevName) and Reporting IP (reptDevAddr) .

Based on the provided exhibit, we can determine how long the UEBA agent has been operationally down by looking at the " First Occurred " and " Last Occurred " timestamps.

● First Occurred: Sep 13, 2021, at 01:10 PM

● Last Occurred: Sep 14, 2021, at 09:10 AM

From Sep 13, 01:10 PM to Sep 14, 01:10 AM → 12 hours

From Sep 14, 01:10 AM to Sep 14, 09:10 AM → 8 hours

Total downtime = 12 + 8 = 20 hours

In FortiSIEM baselining , an hourly bucket is used to maintain hourly-specific statistical baselines . This helps detect anomalies by comparing current activity against historical norms for each hour of the day , separately for weekdays and weekends .

The system maintains hourly profiles , ensuring that anomalies are detected based on similar timeframes. This approach prevents false positives due to natural variations in network activity across different times of the day and different days of the week.

The admin password is a mandatory field, as indicated in the exhibit ( " Required " in red). It is needed for authentication and administrative access.

The organization name ( " University " ) is necessary to associate the collector with the correct organization.

The Admin User (uniadmin) is a required field for defining the administrator of the collector.

In the exhibit, the " Clear If " condition does not specify a condition for auto-clearing the incident. If an incident does not have a specific clear condition, it remains active until manually resolved or cleared by another process.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

From the Filters section in the exhibit, we see:

1. Event Type IN EventTypes: Domain Account Locked

This means the rule will match events where the event type is classified under the Domain Account Locked category.

2. Reporting IP IN Applications: Domain Controller

This means the rule is filtering for events where the reporting IP is classified under the Domain Controller applications group .

3. Logical Operator: AND

The filters are combined using AND , meaning both conditions must be met for an event to match.

Since both conditions must be true, the rule is effectively filtering events where:

● The event type belongs to the Domain Account Locked CMDB group

● The reporting IP belongs to the Domain Controller applications group

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS

The LookupTableHas function is used to check whether a specified key exists in a lookup table . It returns either true or false , depending on whether the key is found in the table.

● If the key is present, the function returns true .

● If the key is absent, the function returns false .

From the " Clear If " condition in the exhibit:

● WITHIN 5 minutes , the system checks if the pattern AllPingLossSrv_CLEAR occurs.

● The Host IP of the clear condition must match the Host IP of the original rule ( Clear_Condition.Host IP = Original_Rule.Host IP ).

● If this condition is met, the system automatically clears the incident because it indicates that network connectivity has been restored (packet loss has dropped).

Thus, the incident was auto-cleared because the system detected that the issue was resolved within the defined 5-minute window , meeting the conditions for auto-clearance.

The Z-score formula in the expression builder calculates how many standard deviations the current value is from the historical average. The formula used is:

AVG(Firewall Session) represents the current firewall session rate.

STAT_AVG(AVG(Firewall Session);112) represents the historical average over a 112-time unit window.

STAT_STDDEV(AVG(Firewall Session);112) represents the historical standard deviation over the same period.

A Z-score ≥ 3 indicates that the current firewall session rate is significantly higher than the historical average (3 standard deviations above the mean), signaling an anomaly .

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.

After registration , collectors maintain continuous communication with the Supervisor to ensure proper event processing, system health monitoring, and failover handling . The two key reasons collectors communicate with the Supervisor are:

1. To upload event data if a worker is down

If a worker node fails , the collector can temporarily store event logs and then forward them to the Supervisor.

This ensures event continuity even during infrastructure issues.

2. To report its own health status

The collector sends health reports to the Supervisor , including resource usage, connectivity status, and operational logs.

This helps FortiSIEM track collector uptime and performance .