FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Questions and Answers

To viewCompromised Hostson FortiAnalyzer, certain configurations need to be in place on both FortiGate and FortiAnalyzer. Compromised Host data on FortiAnalyzer relies on log information from FortiGate to analyze threats and compromised activities effectively. Here’s why the selected answers are correct:

Option A: Enable device detection on the FortiGate devices that are sending logs to FortiAnalyzer

Enabling device detection on FortiGate allows it to recognize and log devices within the network, sending critical information about hosts that could be compromised. This is essential because FortiAnalyzer relies on these logs to determine which hosts may be at risk based on suspicious activities observed by FortiGate. This setting enables FortiGate to provide device-level insights, which FortiAnalyzer uses to populate the Compromised Hosts view.

Option B: Enable web filtering in firewall policies on FortiGate devices, and make sure these logs are sent to FortiAnalyzer

Web filtering is crucial in identifying potentially compromised hosts since it logs any access to malicious sites or blocked categories. FortiAnalyzer uses these web filter logs to detect suspicious or malicious web activity, which can indicate compromised hosts. By ensuring that FortiGate sends these web filtering logs to FortiAnalyzer, the administrator enables FortiAnalyzer to analyze and identify hosts engaging in risky behavior.

Let’s review the otheroptions for clarity:

Option C: Make sure all endpoints are reachable by FortiAnalyzer

This is incorrect. FortiAnalyzer does not need direct access to all endpoints. Instead, it collects data indirectly from FortiGate logs. FortiGate devices are theones that interact with endpoints and then forward relevant logs to FortiAnalyzer for analysis.

Option D: Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date

Although subscribing to FortiGuard helps keep threat intelligence updated, it is not a requirement specifically to view compromised hosts. FortiAnalyzer primarily uses logs from FortiGate (such as web filtering and device detection) to detect compromised hosts.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The exhibit shows the eventEvent Status = MitigatedandEvent Type = Web Filter, with the event message indicating the web request wasblocked.

The study guide definesMitigatedevents as follows:“Mitigated: The security risk is mitigated by being blocked or dropped.”This means a mitigated status corresponds to enforcement that prevented the risk (block/drop), not a condition where the source is isolated.

It also distinguishesContainedevents from mitigated ones:“Contained: The risk source is isolated.”Since the exhibit clearly showsMitigated(not Contained), optionBis incorrect.

Additionally, the study guide notes:“Generally, you can acknowledge mitigated events because the related traffic was blocked by the firewall.”This aligns directly with the exhibit’s “blocked” wording and supports that the correct interpretation is that the security risk was blocked.

Finally, the event type displayed isWeb Filter, not application control, so optionDis incorrect.

Therefore, the correct statement isC. The security risk was blocked.

When you frequently use the same search parameters in FortiAnalyzer’s Log View, setting up a reusable filter or view can saveconsiderable time. Here’s an analysis of each option:

Option A - Configure a Custom Dashboard:

Custom dashboards are useful for displaying a variety of widgets and summaries on network activity, performance, and threat data, but they are not designed for storing specific search filters for log views.

Conclusion:Incorrect.

Option B - Configure a Custom View:

Custom views in FortiAnalyzer allow analysts to save specific search filters and configurations. By setting up a custom view, you can retain your frequently used search parameters and quickly access them without needing to reapply filters each time. This option is specifically designed to streamline the process of recurring log searches.

Conclusion:Correct.

Option C - Configure a Data Selector:

Data selectors are used to define specific types of data for FortiAnalyzer reports and widgets. They are useful in reports but are not meant for saving and reusing log search parameters in Log View.

Conclusion:Incorrect.

Option D - Configure a Macro and Apply It to Device Groups:

Macros in FortiAnalyzer are generally used for automation tasks, not for saving log search filters. Applying macros to device groups does not fulfill the requirement of saving specific log view search parameters.

Conclusion:Incorrect.

Conclusion:

Correct Answer:B. Configure a custom view.

Custom views allow you to save specific search filters, enabling quick access to frequently used parameters in Log View.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The study guide explicitly describes what content fromFabric membersis visible/usable on theFabric supervisor:

Logs:“In the FortiAnalyzer Fabric supervisor,Log View displays logs collected on all FortiAnalyzer Fabric members.”

Reports:“For reports, the FortiAnalyzer Fabric supervisorcan fetch and aggregate data from multiple membersin the FortiAnalyzer Fabric.”

Events:“Events generated by event handlers on the FortiAnalyzer Fabric members are visible on the supervisor.”

By contrast, the study guide lists a key limitation that rules outPlaybooksas a supervisor capability over members: “You are not able to perform configuration changes or torun automation playbooks from the Fabric supervisor to members.”

Therefore, the three modules available for analysis on the supervisor areLogs, Events, and Reports(C, D, E).

The requirement here is to construct a SQL query that retrieves logs with specific fields, namely "Source IP" and "Destination Port," for entries where the source IP address matches 10.0.1.10. The correct syntax is essential forselecting, filtering, ordering, and grouping the results as shown in the expected outcome.

Analysis of the Options:

Option A Explanation:

SELECT srcip AS "Source IP", dstport AS "Destination Port": This syntax selects srcip and dstport, renaming them to "Source IP" and "Destination Port" respectively in the output.

FROM $log: Specifies the log table as the data source.

WHERE $filter AND srcip = '10.0.1.10': This line filters logs to only include entries with srcip equal to 10.0.1.10.

ORDER BY dstportDESC: Orders the results in descending order by dstport.

GROUP BY srcip, dstport: Groups results by srcip and dstport, which is valid SQL syntax.

This option meets all the requirements to get the expected results accurately.

Option B Explanation:

WHERE $filter AND Source IP != '10.0.1.10': Uses != instead of =. This would exclude logs from the specified IP 10.0.1.10, which is contrary to the expected result.

Option C Explanation:

The ORDER BY clause appears before the FROM clause, which is incorrect syntax. SQL requires the FROM clause to follow the SELECT clause directly.

Option D Explanation:

The GROUP BY clause should follow the FROM clause. However, here, it’s located after WHERE, making it syntactically incorrect.

Conclusion:

Correct Answer:A. Option A

This option aligns perfectly with standard SQL syntax and filters correctly for srcip = '10.0.1.10', while ordering and grouping as required.

In a FortiAnalyzer Fabric, devices canparticipate in a cluster or grouping if they meet specific compatibility criteria. Based on the outputs provided, let’s evaluate these criteria:

Version Compatibility:

All three devices, FortiAnalyzer1, FortiAnalyzer2, and FortiAnalyzer3, are runningversion v7.4.1-build0238, which is the same across the board. This version alignment is crucial because FortiAnalyzer Fabric requires that devices run compatible firmware versions for seamless communication and management.

Platform Type and Configuration:

All three devices are configured asStandalonein the HA mode, which allows them to operate independently but does not restrict their participation in a FortiAnalyzer Fabric. Each device is also on theFAZVM64-KVMplatform type, ensuring hardware compatibility.

Global Settings:

Key settings such as adm-mode, adm-status, and adom-mode are consistent across all devices (adm-mode: normal, adm-status: enable, adom-mode: normal), which aligns with requirements for fabric integration and role assignment flexibility.

Each device also has thelog-forward-cache-sizeset, which is relevant for forwarding logs within a fabric environment.

Based on the above analysis,all devices(FortiAnalyzer1, FortiAnalyzer2, and FortiAnalyzer3) meet the requirements to be part of a FortiAnalyzer Fabric.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The FortiAnalyzer study guide states that blocking suspicious indicators is performed by integrating FortiAnalyzer withFortiManager(not by directly pushing a block list to FortiGate). Specifically:“To use this feature, you must set up an authorized FortiManager connector for the FortiAnalyzer on the Fabric Connector page of FortiAnalyzer.”

It then explains the backend mechanism:“In the back end, a playbook called Block_indicator runs every 5 minutes to send the information to FortiManager.”After a successful run,“the blocked indicator is pushed to the FortiManager External Resource list.”From there, FortiManager can create threat feeds/security profiles/policy blocks and push policies to FortiGate as needed—however, the study guide clarifies:“The Blocked status on FortiAnalyzer confirms that the list is updated on FortiManager, but it is not synced to FortiGate.”

Therefore, FortiAnalyzer blocks indicators by using aFortiManager connectorand sending the block information to FortiManager (Option B).

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The FortiAnalyzer study guide explains that IOC identification is performed by comparing relevant log fields against the FortiGuard threat database. Specifically, it states:“Depending on the log type, FortiAnalyzer identifies possible compromised hosts by checking the threat database against the log's IP address, domain, and URL.”

From this extract, two of the explicit parameters FortiAnalyzer uses for IOC detection areIP addressandURL(both listed verbatim). Policy ID and application category are not part of the IOC matching parameters described for threat-database checks in this context.

This is further consistent with the study guide’s definition of indicator types, which states:“There are three types of indicators: IP addresses, URLs, and domains.”

In the exhibit, the playbook configuration shows the analyst working with the "Attach Data" action within a playbook. Here’s a breakdown of key aspects:

Incident ID: This field is linked to the "Playbook Starter," which indicates that the playbook will attach data to an existing incident.

Attachment: The analyst is configuring an attachment by selecting Run_REPORT with a placeholder ID for report_uuid. This suggests that the report’s UUID will dynamically populate as part of the playbook execution.

Analysis of Options:

Option A - Creating a Trigger Variable:

A trigger variable would typically be set up in the playbook starter or initiation configuration, not within the "Attach Data" action. The setup here does not indicate a trigger, as it’s focusing on data attachment.

Conclusion:Incorrect.

Option B - Creating an Output Variable:

The field Attachment with a report_uuid placeholder suggests that the analyst is defining an output variable that will store the report data or ID,allowing it to be attached to the incident. This variable can then be referenced or passed within the playbook for further actions or reporting.

Conclusion:Correct.

Option C - Creating a Report in the Playbook:

While Run_REPORT is selected, it appears to be an attachment action rather than a report generation task. The purpose here is to attach an existing or dynamically generated report to an incident, not to create the report itself.

Conclusion:Incorrect.

Option D - Creating a SOC Report:

Similarly, this configuration is focused on attaching data, not specifically generating a SOC report. SOC reports are generally predefined and generated outside the playbook.

Conclusion:Incorrect.

Conclusion:

Correct Answer:B. The analyst is trying to create an output variable to be used in the playbook.

The setup allows the playbook to dynamically assign the report_uuid as an output variable, which can then be used in further actions within the playbook.

Macros in FortiAnalyzer are used to streamline reporting tasks by automating dataextraction and report generation. Here’s a breakdown of each option to determine the correct answer:

Option A - Macros are Predefined Templates for Reports and Cannot be Customized:

This statement is incorrect. Macros in FortiAnalyzer are not simply fixed templates; they allow for customization to tailor data extraction and reporting based on specific needs and configurations.

Conclusion:Incorrect.

Option B - Macros are Useful in Generating Excel Log Files Automatically Based on the Report Settings:

This statement is accurate. Macros in FortiAnalyzer can be configured to automate the generation of reports, including outputting log data to Excel format based on predefined report settings. This makes them especially useful for scheduled reporting and data analysis.

Conclusion:Correct.

Option C - Macros are ADOM-Specific and Each ADOM Type Has Unique Macros Relevant to that ADOM:

Macros are not limited to specific ADOMs, nor are they ADOM-specific. Macros can be applied across various ADOMs based on report configurations but are not inherently tied to or unique for each ADOM type.

Conclusion:Incorrect.

Option D - Macros are Supported Only on the FortiGate ADOMs:

This is not true. Macros in FortiAnalyzer are not restricted to FortiGate ADOMs; they can be utilized across different ADOMs that FortiAnalyzer manages.

Conclusion:Incorrect.

Conclusion:

Correct Answer:B. Macros are useful in generating excel log files automatically based on the report settings.

This answer correctly describes thefunctionality of macros in FortiAnalyzer, emphasizing their role in automating report generation, especially for Excel log files.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

FortiAnalyzer 7.6 stores on-premises logs in aClickHouse SQL database(not MySQL, Postgres, or Elasticsearch). Fortinet’s FortiAnalyzer 7.6 SQL Query documentation explicitly states that log data is inserted into the SQL database and that“FortiAnalyzer uses a ClickHouse SQL database.”

This is consistent with how the study guide describes the storage/analytics pipeline in 7.6: it explains that FortiAnalyzer indexes incoming raw logs (insert rate)“by the SQL database and the sqlplugind daemon.”This “SQL database” in 7.6 corresponds to the ClickHouse-backed log database described in the Fortinet documentation.

Enablingauto-cachein FortiAnalyzer reports is designed to improve the efficiency and speed of report generation by leveraging cached data. Let’s analyze each option to determine which effects are correct.

Option A - The Generation Time for Reports is Decreased:

When auto-cache is enabled, FortiAnalyzer can use previously cached data instead of reprocessing all log datafrom scratch each time a report is generated. This results in faster report generation times, especially for recurring reports that use similar datasets.

Conclusion:Correct.

Option B - Hard-Cache Data is Automatically Updated When New Logs are Received:

Enabling auto-cache does not immediately update the cache with every new log received. Instead, the cache is updated when reports are generated, based on the existing logs up to that point. Therefore, auto-cache does not constantly refresh with each incoming log, which would be inefficient.

Conclusion:Incorrect.

Option C - FortiAnalyzer Local Cache is Used to Store Generated Reports:

Auto-cache utilizes FortiAnalyzer’s local cache to store data used in reports, reducing the need to retrieve and process logs repeatedly. This cached data can be reused for subsequent report generation, enhancing performance.

Conclusion:Correct.

Option D - The Size of Newly Generated Reports is Optimized to Conserve Disk Space:

Auto-cache does not directly impact the size ofthe report files themselves. It focuses on performance optimization through cached data for faster access, but it does not compress or optimize the storage size of the generated report.

Conclusion:Incorrect.

Conclusion:

Correct Answer:A. The generation time for reports is decreasedandC. FortiAnalyzer local cache is used to store generated reports.

Enabling auto-cache helps reduce report generation time by using locally cached data and optimizes report processing, though it does not impact report size or continuously update with each new log.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

The study guide explains that FortiAnalyzer playbook tasks rely on connectors, and that the FortiOS connector will not show its available actions until FortiGate is configured with the correct automation trigger. The guide states:“For example, the FortiOS connector will be listed as soon as the first FortiGate device is added to FortiAnalyzer. However, to see the actions related to that FortiOS connector, you must enable an automation rule using the Incoming Webhook Call trigger on FortiGate.”

This is why the required FortiGate trigger type isIncoming webhook(option B): it is the specific trigger FortiOS must use so FortiAnalyzer can expose and use the FortiOS connector actions within the playbook workflow.

Comprehensive and Detailed Explanation From Exact Extract of knowledge of FortiAnalyzer 7.6 Study guide documents:

In the exhibit, theEvent Statusshown isUnhandled(Event Type: Web Filter; Severity: Critical). The FortiAnalyzer study guide definesUnhandledevents as events whose security risk has not been addressed and is therefore still active/open. Specifically, it states:“Unhandled: The security risk is considered open.”

This directly matches optionD.

The other options correspond to different statuses or actions:

Isolated/Containedapplies when the risk source is isolated (statusContained), notUnhandled.

Escalatedrefers to events moved/raised for further action (statusEscalated), notUnhandled.

Whether an incident was created cannot be concluded solely from the status “Unhandled” in the exhibit; the study guide ties incident creation to incident management workflows rather than equating “Unhandled” with an incident being created.