FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Question and Answers

Exact Extract: Study Guide p.202-p.203: FortiOS connector actions require automation rules configured on FortiGate.

Technical Deep Dive: The correct answer is D. FortiAnalyzer lists the FortiOS connector after FortiGate is added, but the available actions depend on FortiGate automation configuration. Specifically, the FortiGate side must have automation rules using the Incoming Webhook Call trigger before actions become available to the connector. Option A is wrong because Fabric ADOMs do not automatically come with multiple usable external connectors. Options B and C misunderstand the local connector, which is available by default for local FortiAnalyzer actions.

Exact Extract: Study Guide p.82: " Unhandled " means the security event risk is not mitigated or contained, and an IPS/AV pass action is an example.

Technical Deep Dive: The correct answer is B because an IPS log with action=pass means the traffic matched or was observed in a way that generated a security event, but the traffic was not blocked, dropped, or quarantined. FortiAnalyzer therefore treats the event as still open from a SOC workflow perspective. Option A is wrong because quarantine isolates the malicious object and maps to Contained. Options C and D are wrong because dropped or blocked actions mean enforcement already occurred, which maps to Mitigated rather than Unhandled.

Exact Extract: Study Guide p.130: the IOC service uses FortiGuard and analyzes web filtering, DNS, and traffic logs for breach detection.

Technical Deep Dive: The correct answers are B and D. To view compromised hosts, FortiAnalyzer needs relevant logs that expose suspicious destinations or web activity, and it needs current FortiGuard IOC intelligence. Web filtering logs are especially important because they contain URL/domain activity that can be compared with FortiGuard threat intelligence. The FortiGuard subscription keeps the threat database current. Option A may help identify devices in some FortiGate workflows, but it is not the core IOC requirement described in the Analyst guide. Option C is wrong because FortiAnalyzer does not need direct reachability to every endpoint; it evaluates logs received from FortiGate.

Exact Extract: Study Guide p.157-p.158: report datasets use SQL SELECT queries, and clauses must be in the correct order.

Technical Deep Dive: The correct answer is A. The valid query must select the required fields, read from $log, apply the filter for the source IP, group the selected values, and order the output as expected. Option A follows the SQL structure FortiAnalyzer expects for report datasets. The incorrect options either reverse the filter logic, place clauses in the wrong order, or use malformed aliases/conditions. In FortiAnalyzer reporting, a syntactically correct dataset is mandatory because the chart receives only the data returned by that SQL SELECT query.

Exact Extract: Study Guide p.25-p.26: the supervisor displays member logs, can aggregate report data, and shows events generated on members.

Technical Deep Dive: The correct answers are C, D, and E. FortiAnalyzer Fabric supervisor visibility includes logs collected on members, events generated by member event handlers, and reports that fetch and aggregate data from multiple members. Playbooks are not available as a supervisor-to-member execution module; the guide states supervisors cannot run automation playbooks on members. Indicators are not listed in the Fabric supervisor modules described for member analysis in the study guide.

Exact Extract: Study Guide p.39-p.41: logs are saved first, and parsers are needed to normalize raw logs into standardized fields.

Technical Deep Dive: The correct answer is C. FortiAnalyzer does not discard a log simply because a matching parser is unavailable. The received log is still saved in the FortiAnalyzer log workflow. However, normalization requires a parser that can extract fields and map them into FortiAnalyzer’s common schema. Without that parser, the log remains stored but not normalized. Option A is too destructive. Option B assumes a generic parser is automatically applied. Option D confuses storage/archive state with parser availability.

Exact Extract: Study Guide p.78: event handlers can use notification profiles; p.107 describes external notifications through Fabric connectors.

Technical Deep Dive: The correct answers are A and C. When an event handler generates an event, FortiAnalyzer can use notification mechanisms such as SNMP traps through notification profiles. FortiAnalyzer also supports sending alerts to external platforms using configured Fabric connectors. FortiGuard is not an alert delivery server in this workflow; it supplies threat intelligence and outbreak content. SMS notification is not one of the event-handler notification methods described in the guide sections relevant to this question.

Exact Extract: Study Guide p.208: to run a report as a playbook task, the report must already exist and have auto-cache and extended log filtering enabled.

Technical Deep Dive: The correct answer is A. If the report is not visible as an available report task target, the usual reason is that it does not meet the report-task prerequisites. FortiAnalyzer requires the report to exist already and to have both auto-cache and extended log filtering enabled. Option B is irrelevant because a running playbook does not hide a report definition. Option C is wrong because the trigger starts the playbook, not the report listing. Option D is wrong because report results are not the prerequisite for listing the report as a task target.

Exact Extract: Study Guide p.181: output profiles specify report format and whether to email or upload generated reports.

Technical Deep Dive: The correct answer is D. The mail server being configured only gives FortiAnalyzer the ability to send email. To send generated reports automatically, the report must use an output profile that defines the delivery method and recipients or upload target. Option A is not a report-level distribution setting. Option B confuses report layout content with report delivery. Option C is wrong because the report calendar shows scheduled report status; scheduling and distribution are configured in the report settings and output profile.

Exact Extract: Study Guide p.98: blocking suspicious indicators requires an authorized FortiManager connector and updates a FortiManager External Resource list.

Technical Deep Dive: The correct answer is B. FortiAnalyzer does not directly push the block to FortiGate from the indicator page. It uses a FortiManager connector; the Block_indicator playbook periodically sends blocked indicators to FortiManager, where they are added to an External Resource list. FortiManager policies or threat feeds can then be used to push enforcement to FortiGate. Option A skips FortiManager, which is the documented control point. Options C and D use the wrong integration mechanism for indicator blocking.

Exact Extract: Study Guide p.202: FortiOS connector actions appear only after enabling an automation rule using the Incoming Webhook Call trigger on FortiGate.

Technical Deep Dive: The correct answer is D. A FortiAnalyzer playbook can list a FortiOS connector after FortiGate is added, but the available FortiOS actions depend on FortiGate-side automation rules. FortiGate must expose an Incoming Webhook trigger so FortiAnalyzer can call the automation stitch. A FortiAnalyzer Event Handler is used on FortiAnalyzer to generate events, not to expose FortiOS connector actions. Fabric Connector events and FortiOS Event Log triggers do not provide the FortiAnalyzer-to-FortiGate action handoff tested here.

Exact Extract: Study Guide p.21-p.24: HA is not supported on supervisors; members provide analyzer features and supervisor visibility does not require log forwarding to supervisor storage.

Technical Deep Dive: The correct answers are B and C. Fabric members must retain analyzer capabilities such as events and reports; collector mode lacks Incidents and Events and reporting, so member devices operate with analyzer functionality. The supervisor provides centralized visibility into logs collected on members rather than requiring members to forward all logs into supervisor storage. Option A is false because HA is not available for the supervisor. Option D is false because the guide states members do not have to share the supervisor time zone.

Exact Extract: Study Guide p.189: for missing report data, check the report time frame and test the dataset.

Technical Deep Dive: The correct answers are A and D. If the logs exist but the generated report lacks expected information, the first checks are whether the report time frame includes those logs and whether the dataset query returns the expected rows. Reports are only as accurate as their time filter and SQL dataset. Disabling auto-cache is not the normal fix; cache improves performance and scheduled reports use it. Increasing a quota does not correct a wrong time range or broken SQL query unless the report fails for resource reasons, which is not the scenario described.

Exact Extract: Study Guide p.83: generic text filters support field operators, including equality and inequality, for precise event-handler matching.

Technical Deep Dive: The correct answer is A. The required filter must match login operations to the GUI from Laptop1 and exclude the admin user. Option A includes the login operation, the correct GUI/IP value for Laptop1, and user!=admin. Option B uses the wrong IP address. Option C incorrectly matches user==admin, which is the opposite of the requirement. Option D lacks the correct performed_on GUI condition and has malformed inequality syntax. For event-handler filters, small syntax or field mistakes change the result completely.

Exact Extract: Official Fortinet FortiSIEM MEA guidance: after enabling the Collector MEA, it must be registered to a licensed FortiSIEM Supervisor.

Technical Deep Dive: The correct answer is D. FortiSIEM MEA on FortiAnalyzer functions as a FortiSIEM collector component and must register to a FortiSIEM Supervisor for operation. Option A describes FortiSOAR-style incident lifecycle management more than FortiSIEM MEA. Option B is wrong because the management extension runs on FortiAnalyzer rather than as a dedicated VM for the MEA itself. Option C is inaccurate because Fortinet documents CPU/RAM caps for MEAs, not a 50% disk-space cap as the defining requirement.

Exact Extract: Study Guide p.39: rolled log files are compressed, receive the .gz extension, and are known as archive logs.

Technical Deep Dive: The correct answer is C. FortiAnalyzer stores received logs first as log files and also indexes them for analytics. When the log file rolls over, FortiAnalyzer renames it, timestamps it, and compresses it into a .gz file. That compressed offline file is the archive log. Option A describes analytics logs in the SQL database. Option B is wrong because FortiView uses analytics logs, not archive logs. Option D confuses archive status with device availability; a log is archived because of the storage workflow, not because the source device is offline.

Exact Extract: Study Guide p.175: Chart Builder automatically builds a dataset and chart from filtered Log View search results.

Technical Deep Dive: The correct answer is D. Chart Builder is a shortcut for turning a useful filtered log search into reusable reporting content. The analyst first filters Log View to the desired data, then uses Chart Builder to create the dataset and chart automatically. Option A is wrong because it is not based on a fixed top-100 list. Option B is incomplete because the feature creates chart/dataset objects rather than merely adding a chart to a generated report. Option C incorrectly places the output under FortiView instead of reporting libraries.

Exact Extract: Study Guide p.64-p.65: FortiView summarizes threats and can export FortiView information as a PDF file.

Technical Deep Dive: The correct answer is D. FortiView provides dashboard views such as Threats, where identified threats within a selected timeframe are summarized and organized for analysis. The guide also states FortiView information can be exported as a PDF. Log Browse and Log View are useful for searching individual logs, but they do not provide the same threat-summary dashboard workflow. Fabric View is for Security Fabric topology and inventory context, not top-threat investigation and PDF export.

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: Study Guide p.141: Log Insert Lag Time is the time between log receipt and indexing.

Technical Deep Dive: The correct answer is A. A rising data point on the Log Insert Lag Time graph means the delay between receiving logs and indexing them is increasing. That indicates the database/indexing pipeline is falling behind at that moment. Option B is wrong because the chart is not proving cache use to avoid drops. Option C might become true if lag exceeds baseline persistently, but a single point only shows lag behavior. Option D is the opposite: if sqlplugind were caught up, lag would be low or decreasing.