FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Questions and Answers

Based on the provided exhibit, we can determine how long the UEBA agent has been operationally down by looking at the "First Occurred" and "Last Occurred" timestamps.

● First Occurred: Sep 13, 2021, at 01:10 PM

● Last Occurred: Sep 14, 2021, at 09:10 AM

From Sep 13, 01:10 PM to Sep 14, 01:10 AM → 12 hours

From Sep 14, 01:10 AM to Sep 14, 09:10 AM → 8 hours

Total downtime = 12 + 8 = 20 hours

FortiSIEM's rule engine queries the profile database to analyze historical behavior and detect anomalies. The profile database stores statistical baselines, which include:

● Statistical average (mean values over time)

● Standard deviation (variability from the mean)

These values help the rule engine determine whether an observed metric (such as logins, failed attempts, network traffic, or system performance) deviates significantly from the normal pattern for the same hour of the day.

Thelicense filelocated at/etc/opsd/.fortisiem4x0is critical for thecollector's operation, as it verifies the collector'sregistration with the supervisorand enables proper functionality.

If thislicense file is removed, the collector:

● Willlose its registrationwith the supervisor.

● Willstop receiving updates and configurationsfrom the FortiSIEM supervisor.

● Will requirere-registrationwith the supervisor to obtain a new license file.

InFortiSIEM,numPointsis a parameter used inrules and the profile databaseto ensure the reliability of statistical baselines and prevent anomalies from being falsely triggered due to insufficient data.

1.To prevent premature triggering of a rule before a baseline is set and becomes active.

numPoints ensures that a rule does not trigger until a sufficient number of data points are collectedfor the baseline.

Without enough data, the system may generatefalse positivesdue to the lack of a stable historical pattern.

2.To fetch only values from the profile database that have numPoints greater than a certain threshold.

When querying theprofile database, numPoints acts as afilterto ensure that onlydata points meeting a minimum thresholdare considered for analysis.

This prevents unreliable or insufficient historical data from affecting anomaly detection.

The exhibit shows the directory listings forthree different workers(worker1,worker2, andworker3) under the/querywkr/active/13127*path, which indicatesactive query tasksassigned to each worker.

1.Worker1 (worker1)

The output doesnotshow any subdirectories or task files (13127t0,13127t1, etc.), meaningWorker1 is not assigned any tasks.

2.Worker2 (worker2)

The output showsone task (13127t1)under/querywkr/active/13127*.

The workerhas only one assigned task, not two, so optionsC and D are incorrect.

3.Worker3 (worker3)

The output showstwo tasks (13127t0and13127t1), indicating that Worker3 is processingtwo tasksfor query ID 13127.

In FortiSIEM, an agent’s status of "Running Inactive" indicates that the agent is installed and running but not actively sending data or has encountered a misconfiguration. The following reasons can cause this status:

1. The agent was registered incorrectly

If an agent was not registered properly, it might not establish a proper connection with the FortiSIEM system, resulting in an inactive status.

2. The agent is temporarily down

If the agent goes offline (e.g., due to system shutdown, network issues, or agent crash), it will show as inactive.

3. The template was not assigned

Agents require a template to function correctly. If no template is assigned, the agent cannot collect or process events, leading to an inactive state.

InFortiSIEM baselining, anhourly bucketis used to maintainhourly-specific statistical baselines. This helps detect anomalies by comparing current activity against historical norms foreach hour of the day, separately forweekdays and weekends.

The system maintainshourly profiles, ensuring that anomalies are detected based on similar timeframes. This approach prevents false positives due to natural variations in network activity across different times of the day and different days of the week.

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.

By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

The administrator is running an analytic search that groups results bySource IP, Reporting IP, and User, and filters only those with aCOUNT >= 3.

Looking at the data:

●Adminhas three failed attempts from thesame Source IP (203.0.113.4)andReporting IP (10.0.1.99).

●JanandSarahappear onlyonce or twicein the dataset.

●Tomhasmultiple entries, but they are fromdifferent Source IPs and Reporting IPs, meaning they are not counted as three under the same group.

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.

In aFortiSIEM deployment,device discoveryis handled by theSupervisor, even when aCollectoris present.

● TheSupervisor initiates active scansusing protocols such asSNMP, WMI, SSH, and API queriesto discover devices in the network.

●Collectors do not perform discovery; they primarilycollect and forward logsfrom designated devices to the Supervisor.

●Workers handle event processing, not discovery.

From the"Clear If"condition in the exhibit:

●WITHIN 5 minutes, the system checks if the patternAllPingLossSrv_CLEARoccurs.

● TheHost IP of the clear condition must match the Host IP of the original rule(Clear_Condition.Host IP = Original_Rule.Host IP).

● If this condition is met, the systemautomatically clears the incidentbecause it indicates that network connectivity has been restored (packet loss has dropped).

Thus, theincident was auto-clearedbecause the system detected that the issue was resolved within the defined5-minute window, meeting the conditions for auto-clearance.