Fortinet FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Exam Practice Test

The administratordeployed FortiSIEM without a collector, meaning there is no dedicated system collecting logs fromservice provider infrastructure devices. Without a collector, the FortiSIEMsupervisor and workersmust directly ingest logs, which is not ideal for amulti-tenant service provider setup. Acollector is necessaryto efficiently gather logs before forwarding them to the FortiSIEM cluster.

FortiSIEM does not allow CMDB queries to be nested within other CMDB queries. CMDB data is static information, and nesting would not add value or function properly in query execution.

Guaranteed Allocation:50 + 100 + 150 = 300 EPS

Actual (Incoming) Usage:25 + 50 + 75 = 150 EPS→ Unused from guarantees = 300 − 150 = 150 EPS

Burst Capacity (Licensed minus Guaranteed):520 − 300 = 220 EPS

Total Unused Capacity:150 + 220 = 370 EPS

As a Percentage of Licensed EPS:370/520 ≈ 71.15% → reported (after conversion/rounding) as ~71.460

The phProvisionCollector command is used to register a collector to the supervisor in FortiSIEM. The correct syntax requires:

● User → The admin username for authentication.

● Password → The password for authentication.

● Super IP → The IP address of the supervisor, which manages the collector.

● Organization → The organization to which the collector belongs.

● Worker Name → The name of the worker node responsible for handling events from this collector.

The exhibit shows the directory listings forthree different workers(worker1,worker2, andworker3) under the/querywkr/active/13127*path, which indicatesactive query tasksassigned to each worker.

1.Worker1 (worker1)

The output doesnotshow any subdirectories or task files (13127t0,13127t1, etc.), meaningWorker1 is not assigned any tasks.

2.Worker2 (worker2)

The output showsone task (13127t1)under/querywkr/active/13127*.

The workerhas only one assigned task, not two, so optionsC and D are incorrect.

3.Worker3 (worker3)

The output showstwo tasks (13127t0and13127t1), indicating that Worker3 is processingtwo tasksfor query ID 13127.

The rule triggers an incident when there are two or more VPN logon failures within a 10-minute window, grouped by Source IP, Reporting Device, Reporting IP, and User. Let's analyze the events:

Breakdown of Events:

1. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Sarah

2. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: John

3. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Tom

4. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: John

5. Reporting IP: 1.1.1.3, Source IP: 2.2.2.2, Device: FortiGate2, User: Sarah

6. Reporting IP: 1.1.1.1, Source IP: 2.2.2.2, Device: FortiGate, User: Tom

Now, applying the grouping criteria (Source IP, Reporting Device, Reporting IP, and User):

● Group 1: (1.1.1.1, 2.2.2.2, FortiGate, John) → 1 occurrence (not enough)

● Group 2: (1.1.1.1, 2.2.2.2, FortiGate, Sarah) → 1 occurrence (not enough)

● Group 3: (1.1.1.1, 2.2.2.2, FortiGate, Tom) → 2 occurrences (incident triggered)

● Group 4: (1.1.1.3, 2.2.2.2, FortiGate2, John) → 2 occurrences (incident triggered)

● Group 5: (1.1.1.3, 2.2.2.2, FortiGate2, Sarah) → 1 occurrence (not enough)

● Group 6: (1.1.1.3, 2.2.2.2, FortiGate2, Tom) → 1 occurrence (not enough)

Final Incident Count:

● One incident for Group 3 (Tom on FortiGate)

● One incident for Group 4 (John on FortiGate2)

InFortiSIEM,SQLite databasesused forbaseliningare stored in the/opt/phoenix/cachedirectory. This location is used fortemporary storage and caching of profile datathat is essential for anomaly detection and trend analysis.

●Baselininginvolves analyzing historical data to determine expected behavior patterns.

●SQLite databasesstore aggregated statistics, which are referenced during rule evaluations.

● Thecache directoryallows quick access to these values without querying the main database repeatedly.

phRuleWorker processes events in 60-second intervals (buckets). This means that events within a one-minute window are evaluated together for rule conditions, helping detect patterns, correlations, and triggers.

phRuleWorker runs both on the supervisor and worker nodes to distribute event processing. The supervisor primarily orchestrates rule evaluation, while workers handle distributed event processing.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

InFortiSIEM, when an agent isuninstalled from a Windows device, the deviceremains in the CMDB (Configuration Management Database)until it ismanually removed.

●Uninstalling the agent does not automatically remove the device from the CMDB.

● CMDB maintains discovered deviceseven if they no longer report logs, ensuring historical tracking.

● Administrators mustmanually deletethe device from theCMDB > Devicessection.

FortiSIEM's User and Entity Behavior Analytics (UEBA) uses AI-driven modeling to detect anomalies and security risks based on user activity. The risk weighting for UEBA tags allows customization of the AI model by prioritizing certain behaviors or indicators over others.

Adjusting risk weightings fine-tunes how the AI model evaluates risk, helping organizations align detection sensitivity with their security policies. This provides a customized risk scoring mechanism without requiring full AI retraining.

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

● The collector does not discard events; instead, it buffers them until the connection is restored.

● The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

● Once the WAN link is restored, buffered events are sent to the supervisor for processing.

When registeringagentsin FortiSIEM, the organization to which they belong depends on how they are installed:

●Windows Agents

● During installation, the setup wizard prompts the user to specify theorganization.

● This ensures the agent is correctly assigned to the organization defined during setup.

●Linux Agents

● Installation on Linux requirescommand-line parameters, including theorganization name.

● This means that the organization is explicitly defined during the installation process.

Automatic remediation inFortiSIEMenablesreal-time responseto security threats without manual intervention. While this can improve response times, it also introducesrisksbecauseactions are taken automatically based on predefined rules, without human verification.

● Automated responsescould mistakenly block legitimate usersfrom critical systems or applications.

●Misconfigured rulesmightdisconnect essential systems, causing business disruptions.

● If an incident isa false positive,automatic remediation may interfere with normal operationsunnecessarily.

From the provided XML configuration, we need to focus on the section, which defines the attributes used for grouping.

In theSelectClause, the following attributes are listed:

reptDevName, reptDevAddr, COUNT(*), COUNT(DISTINCT user), COUNT(DISTINCT srcIpAddr)

●reptDevNamerepresents thereporting device.

●reptDevAddrrepresents thereporting IP.

●COUNT(DISTINCT user)tracks unique users.

●COUNT(DISTINCT srcIpAddr)tracks distinct source IPs.

In theGroupByAttrsection:

reptDevName, reptDevAddr

This confirms that the grouping is performed byReporting Device (reptDevName)andReporting IP (reptDevAddr).

In the exhibit, the "Clear If" condition does not specify a condition for auto-clearing the incident. If an incident does not have a specific clear condition, it remains active until manually resolved or cleared by another process.

Afterregistration, collectors maintaincontinuous communicationwith theSupervisorto ensure properevent processing, system health monitoring, and failover handling. The two key reasons collectors communicate with the Supervisor are:

1.To upload event data if a worker is down

If aworker node fails, thecollector can temporarily store event logsand then forward them to the Supervisor.

This ensuresevent continuityeven during infrastructure issues.

2.To report its own health status

Thecollector sends health reportsto theSupervisor, including resource usage, connectivity status, and operational logs.

This helps FortiSIEM trackcollector uptime and performance.