Fortinet FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Exam Practice Test

Therule engineinFortiSIEMloadsbaseline data valuesfrom theprofile database. This database stores historical trends and behavioral baselines for various metrics, such asCPU usage, network activity, and authentication patterns.

●Profile databasemaintainslong-term aggregated statisticsfor anomaly detection.

●Baseline valuesare used to comparecurrent eventsagainst expected behavior.

● This helps indetecting deviations, such as a sudden increase in failed logins or unusual traffic spikes.

In a nested event query, the inner query executes first, and its results feed into the outer query. Since the Source IP comes from the report "Failed Logons to Network Devices", which is part of the inner query, the nested time range applies to it. The other attributes, Reporting IP and Event Type, belong to the outer query and are not affected by the nested time range.

These three processes are essential for aFortiSIEM collector, as they handle event parsing, agent communication, and system monitoring.

●phParseris responsible forparsing and processing collected logsbefore forwarding them.

●phAgentManagermanages agent communication, ensuring logs are received and forwarded correctly.

●phMonitorAgentmonitors the health of the collector itself, reporting system status to the FortiSIEM supervisor.

phReportMasterandphRuleMasterdo not run on collectors. They are supervisor/worker processes handling reporting and rule evaluation, respectively.

Thenatural_idvalue in theph_sys_connectortable of theFortiSIEM Postgres databaseuniquely identifies acollector.

● The SQL query retrieves details fromph_sys_connector, which stores information about registered collectors.

● Thecust_org_idfield indicates theorganization IDthe collector belongs to.

● Thenamefield shows thecollector's name(OrgA_Collector).

● Theip_addrfield lists thecollector's IP address(10.10.2.91).

● Thenatural_idvalue uniquelyidentifies the collector in the system.

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

● The collector does not discard events; instead, it buffers them until the connection is restored.

● The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

● Once the WAN link is restored, buffered events are sent to the supervisor for processing.

Automatic remediation inFortiSIEMenablesreal-time responseto security threats without manual intervention. While this can improve response times, it also introducesrisksbecauseactions are taken automatically based on predefined rules, without human verification.

● Automated responsescould mistakenly block legitimate usersfrom critical systems or applications.

●Misconfigured rulesmightdisconnect essential systems, causing business disruptions.

● If an incident isa false positive,automatic remediation may interfere with normal operationsunnecessarily.

The exhibit shows a FortiSIEM cluster deployed in a multi-tenant service provider environment, serving multiple customers. The architecture includes:

1. Customers with Collectors

Customer A and Customer B (AWS) have collectors deployed within their environments.

Collectors gather and forward logs to the FortiSIEM cluster for centralized analysis.

2. Customers Without Collectors

Customer C does not have a collector; instead, it sends logs directly to the FortiSIEM cluster.

3. Super Organization Managing Infrastructure

The service provider infrastructure devices (e.g., networking and security appliances) are managed directly by the FortiSIEM cluster.

This mixed setup, where some customers use collectors while others send logs directly, represents a hybrid deployment with and without collectors.

In FortiSIEM, some incidents may be triggered due to temporary threshold breaches, especially in availability or performance-related monitoring. These temporary anomalies do not necessarily indicate a persistent issue or security threat.

By automatically clearing such incidents, FortiSIEM prevents unnecessary manual intervention and reduces noise in incident management.

InFortiSIEM, anintegration policycan be invokedthrough Notification Policy settings. This allows automated responses such as:

● Sending alerts toexternal systems (e.g., SIEMs, ticketing systems, SOAR platforms).

● Triggering actions based on specificincident rules.

● Integrating withthird-party solutionsforremediation, escalation, or logging.

FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.

Thelicense filelocated at/etc/opsd/.fortisiem4x0is critical for thecollector's operation, as it verifies the collector'sregistration with the supervisorand enables proper functionality.

If thislicense file is removed, the collector:

● Willlose its registrationwith the supervisor.

● Willstop receiving updates and configurationsfrom the FortiSIEM supervisor.

● Will requirere-registrationwith the supervisor to obtain a new license file.

In the exhibit, the "Clear If" condition does not specify a condition for auto-clearing the incident. If an incident does not have a specific clear condition, it remains active until manually resolved or cleared by another process.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)

Total EPS License Purchased: 500 EPS

Allocated EPS:

● Customer A: 100 EPS

● Customer B: 200 EPS

Remaining EPS Pool:

500 − (100 + 200) = 200 EPS

In a multi-tenant FortiSOAR deployment, a Managed Security Service Provider (MSSP) hosts a shared FortiSOAR instance that serves multiple customers. Each customer operates as a separate tenant within the instance, ensuring data isolation and security.

FortiSOAR uses secure network connectivity (VPNs, direct connections, or secure tunnels) between the MSSP’s FortiSOAR manager node and the customer’s devices.

The customer does not need to install additional software or tenant nodes; instead, the MSSP manages multi-tenancy at the platform level.