Question # 4
Which two statements about the FortiAnalyzer Fabric topology are true? (Choose two.)
A.
Downstream collectors can forward logs to Fabric members.
B.
Logging devices must be registered to the supervisor.
C.
The supervisor uses an API to store logs, incidents, and events locally.
D.
Fabric members must be in analyzer mode.
Full Access
Answer:
B, D
Explanation:
Understanding FortiAnalyzer Fabric Topology:
The FortiAnalyzer Fabric topology is designed to centralize logging and analysis across multiple devices in a network.
It involves a hierarchy where the supervisor node manages and coordinates with other Fabric members.
Analyzing the Options:
Option A:Downstream collectors forwarding logs to Fabric members is not a typical configuration. Instead, logs are usually centralized to the supervisor.
Option B:For effective management and log centralization, logging devices must be registered to the supervisor. This ensures proper log collection and coordination.
Option C:The supervisor does not primarily use an API to store logs, incidents, and events locally. Logs are stored directly in the FortiAnalyzer database.
Option D:For the Fabric topology to function correctly, all Fabric members need to be in analyzer mode. This mode allows them to collect, analyze, and forward logs appropriately within the topology.
Conclusion:
The correct statements regarding the FortiAnalyzer Fabric topology are that logging devices must be registered to the supervisor and that Fabric members must be in analyzer mode.
[References:, Fortinet Documentation on FortiAnalyzer Fabric Topology., Best Practices for Configuring FortiAnalyzer in a Fabric Environment., , , , ]
Question # 5
Refer to the exhibits.
You configured a custom event handler and an associated rule to generate events whenever FortiMail detects spam emails. However, you notice that the event handler is generating events for both spam emails and clean emails.
Which change must you make in the rule so that it detects only spam emails?
A.
In the Log Type field, select Anti-Spam Log (spam)
B.
In the Log filter by Text field, type type==spam.
C.
Disable the rule to use the filter in the data selector to create the event.
D.
In the Trigger an event when field, select Within a group, the log field Spam Name (snane) has 2 or more unique values.
Full Access
Answer:
A
Explanation:
Understanding the Custom Event Handler Configuration:
The event handler is set up to generate events based on specific log data.
The goal is to generate events specifically for spam emails detected by FortiMail.
Analyzing the Issue:
The event handler is currently generating events for both spam emails and clean emails.
This indicates that the rule's filtering criteria are not correctly distinguishing between spam and non-spam emails.
Evaluating the Options:
Option A:Selecting the "Anti-Spam Log (spam)" in the Log Type field will ensure that only logs related to spam emails are considered. This is the most straightforward and accurate way to filter for spam emails.
Option B:Typing type==spam in the Log filter by Text field might help filter the logs, but it is not as direct and reliable as selecting the correct log type.
Option C:Disabling the rule to use the filter in the data selector to create the event does not address the issue of filtering for spam logs specifically.
Option D:Selecting "Within a group, the log field Spam Name (snane) has 2 or more unique values" is not directly relevant to filtering spam logs and could lead to incorrect filtering criteria.
Conclusion:
The correct change to make in the rule is to select "Anti-Spam Log (spam)" in the Log Type field. This ensures that the event handler only generates events for spam emails.
[References:, Fortinet Documentation on Event Handlers and Log Types., Best Practices for Configuring FortiMail Anti-Spam Settings., , , ]
Question # 6
Refer to the exhibits.
The FortiMail Sender Blocklist playbook is configured to take manual input and add those entries to the FortiMail abc. com domain-level block list. The playbook is configured to use a FortiMail connector and the ADD_SENDER_TO_BLOCKLIST action.
Why is the FortiMail Sender Blocklist playbook execution failing7
A.
You must use the GET_EMAIL_STATISTICS action first to gather information about email messages.
B.
FortiMail is expecting a fully qualified domain name (FQDN).
C.
The client-side browser does not trust the FortiAnalzyer self-signed certificate.
D.
The connector credentials are incorrect
Full Access
Answer:
B
Explanation:
Understanding the Playbook Configuration:
The playbook "FortiMail Sender Blocklist" is designed to manually input email addresses or IP addresses and add them to the FortiMail block list.
The playbook uses a FortiMail connector with the action ADD_SENDER_TO_BLOCKLIST.
Analyzing the Playbook Execution:
The configuration and actions provided show that the playbook is straightforward, starting with an ON_DEMAND STARTER and proceeding to the ADD_SENDER_TO_BLOCKLIST action.
The action description indicates it is intended to block senders based on email addresses or domains.
Evaluating the Options:
Option A:Using GET_EMAIL_STATISTICS is not required for the task of adding senders to a block list. This action retrieves email statistics and is unrelated to the block list configuration.
Option B:The primary reason for failure could be the requirement for a fully qualified domain name (FQDN). FortiMail typically expects precise information to ensure the correct entries are added to the block list.
Option C:The trust level of the client-side browser with FortiAnalyzer's self-signed certificate does not impact the execution of the playbook on FortiMail.
Option D:Incorrect connector credentials would result in an authentication error, but the problem described is more likely related to the format of the input data.
Conclusion:
The FortiMail Sender Blocklist playbook execution is failing because FortiMail is expecting a fully qualified domain name (FQDN).
[References:, Fortinet Documentation on FortiMail Connector Actions., Best Practices for Configuring FortiMail Block Lists., , , , , ]
Question # 7
Refer to the exhibits.
You configured a spearphishing event handler and the associated rule. However. FortiAnalyzer did not generate an event.
When you check the FortiAnalyzer log viewer, you confirm that FortiSandbox forwarded the appropriate logs, as shown in the raw log exhibit.
What configuration must you change on FortiAnalyzer in order for FortiAnalyzer to generate an event?
A.
In the Log Type field, change the selection to AntiVirus Log(malware).
B.
Configure a FortiSandbox data selector and add it tothe event handler.
C.
In the Log Filter by Text field, type the value: .5 ub t ype ma Iwa re..
D.
Change trigger condition by selecting. Within a group, the log field Malware Kame (mname> has 2 or more unique values.
Full Access
Answer:
B
Explanation:
Understanding the Event Handler Configuration:
The event handler is set up to detect specific security incidents, such as spearphishing, based on logs forwarded from other Fortinet products like FortiSandbox.
An event handler includes rules that define the conditions under which an event should be triggered.
Analyzing the Current Configuration:
The current event handler is named "Spearphishing handler" with a rule titled "Spearphishing Rule 1".
The log viewer shows that logs are being forwarded by FortiSandbox but no events are generated by FortiAnalyzer.
Key Components of Event Handling:
Log Type: Determines which type of logs will trigger the event handler.
Data Selector: Specifies the criteria that logs must meet to trigger an event.
Automation Stitch: Optional actions that can be triggered when an event occurs.
Notifications: Defines how alerts are communicated when an event is detected.
Issue Identification:
Since FortiSandbox logs are correctly forwarded but no event is generated, the issue likely lies in the data selector configuration or log type matching.
The data selector must be configured to include logs forwarded by FortiSandbox.
Solution:
B. Configure a FortiSandbox data selector and add it to the event handler:
By configuring a data selector specifically for FortiSandbox logs and adding it to the event handler, FortiAnalyzer can accurately identify and trigger events based on the forwarded logs.
Steps to Implement the Solution:
Step 1: Go to the Event Handler settings in FortiAnalyzer.
Step 2: Add a new data selector that includes criteria matching the logs forwarded by FortiSandbox (e.g., log subtype, malware detection details).
Step 3: Link this data selector to the existing spearphishing event handler.
Step 4: Save the configuration and test to ensure events are now being generated.
Conclusion:
The correct configuration of a FortiSandbox data selector within the event handler ensures that FortiAnalyzer can generate events based on relevant logs.
Fortinet Documentation on Event Handlers and Data Selectors FortiAnalyzer Event Handlers
Fortinet Knowledge Base for Configuring Data Selectors FortiAnalyzer Data Selectors
By configuring a FortiSandbox data selector and adding it to the event handler, FortiAnalyzer will be able to accurately generate events based on the appropriate logs.
Question # 8
Refer to the exhibits.
Assume that the traffic flows are identical, except for the destination IP address. There is only one FortiGate in network address translation (NAT) mode in this environment.
Based on the exhibits, which two conclusions can you make about this FortiSIEM incident? (Choose two answers)
A.
The client 10.200.3.219 is conducting active reconnaissance.
B.
FortiGate is not routing the packets to the destination hosts.
C.
The destination hosts are not responding.
D.
FortiGate is blocking the return flows.
Full Access
Answer:
A, C
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
Based on the analysis of theTriggering Eventsand theRaw Messageprovided in the FortiSIEM 7.3 interface:
Active Reconnaissance (A):The "Triggering Events" table shows a single source IP (10.200.3.219) attempting to connect to multiple different destination IP addresses (10.200.200.166, .128, .129, .159, .91) on the same service (FTP/Port 21). Each attempt consists of exactly1 Sent Packetand0 Received Packets. This pattern of "one-to-many" sequential connection attempts is the signature of a horizontal port scan, which is a primary technique inActive Reconnaissance.
Destination hosts are not responding (C):The Raw Log shows the action as"timeout"and specifically lists"sentpkt=1 rcvdpkt=0". In FortiGate log logic (which FortiSIEM parses), a "timeout" with zero received packets indicates that the firewall allowed the packet out (Action was not 'deny'), but no SYN-ACK or response was received from the target host within the session timeout period. This confirms the destination hosts are either offline, non-existent, or silently dropping the traffic.
Why other options are incorrect:
FortiGate is not routing (B):If the FortiGate were not routing the packets, the logs would typically not show a successful session initialization ending in a "timeout," or they would show a routing error/deny. The fact that 44 bytes were sent indicates the FortiGate processed and attempted to forward the traffic.
FortiGate is blocking return flows (D):If the return flow were being blocked by a security policy on the FortiGate, the action would typically be logged as"deny"for the return traffic, and the session state would reflect a policy violation rather than a generic session"timeout".
Question # 9
Which two ways can you create an incident on FortiAnalyzer? (Choose two answers)
A.
Using a custom event handler
B.
Using a connector action
C.
Manually, on the Event Monitor page
D.
By running a playbook
Full Access
Answer:
A, D
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiAnalyzer 7.6and related SOC versions, incidents serve as centralized containers for tracking and analyzing security events. There are two primary automated and manual methods to initiate an incident:
Using a custom event handler (A):In FortiAnalyzer, event handlers are used to generate events from raw logs.1A critical feature in recent versions is theAutomatically Create Incidentsetting within a custom event handler.2When enabled, the system automatically elevates a triggered event into a new incident record, allowing analysts to bypass the manual review of every individual event before an incident is raised.3
By running a playbook (D):Playbooks provide a powerful way to automate the incident lifecycle.4A playbook can be configured with anEvent Trigger, meaning it executes as soon as an event matches specific criteria. One of the core actions available within these playbooks is theCreate Incidentaction, which can automatically populate incident details, severity, and category based on the triggering event's data.5This ensures high-fidelity events are consistently captured for investigation.
Why other options are incorrect:
Using a connector action (B):While connectors allow FortiAnalyzer to communicate with external systems (like ITSM or Security Fabric devices), the act of "creating an incident"insideFortiAnalyzer is a function of the internal event engine or playbook automation, not a standalone connector action used for external integration.
Manually, on the Event Monitor page (C):While you can view, filter, and acknowledge events on theEvent Monitorpage, the process ofmanuallyraising an incident typically occurs from theIncidentsmodule or by right-clicking an event to "Raise Incident" in the Log View or FortiView, rather than being a core function defined as occurring "on the Event Monitor page" in the same architectural sense as handlers and playbooks.
Question # 10
Refer to the exhibit. What is the correct Jinja expression to filter the results to show only the MD5 hash values?
{{ [slot 1] | [slot 2] [slot 3].[slot 4] }}
Select the Jinja expression in the left column, hold and drag it to a blank position on the right. Place the four correct steps in order, placing the first step in the first slot.
Full Access
Answer:
Answer: 
Explanation:
Slot 1:dataSlot 2:json_querySlot 3:("results[?type=='FileHash-MD5']")Slot 4:value
Final Expression: {{ vars.artifacts.data | json_query("results[?type=='FileHash-MD5']") .value }}
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, advanced data manipulation within playbooks often requires the use ofJMESPathqueries via the json_query Jinja filter. To extract specific data from a complex JSON object (like the vars.artifacts dictionary shown in the exhibit), the analyst must follow the structural hierarchy:
Slot 1 (data):Based on the exhibit, the root of the artifact information is located under vars.artifacts.data. Therefore, "data" is the starting point for the filter.
Slot 2 (json_query):To perform advanced filtering (searching for a specific type), the json_query filter must be applied. This allows the playbook to traverse the list and find items matching a specific key-value pair.
Slot 3 ("results[?type=='FileHash-MD5']"):This is the JMESPath expression. It looks into the results array and applies a filter [?...] to find only those objects where the type attribute exactly matches FileHash-MD5.
Slot 4 (value):Once the correct object(s) are found, the expression needs to return the actual hash. In the JSON exhibit, the MD5 string is stored in the key named value.
Why other options are incorrect:
tojson:This filter converts a dictionary/list into a JSON string, which would break the ability to further query the object for the "value" field.
results (as a standalone slot):While "results" is part of the path, it is handledinsidethe json_query string to allow for conditional filtering.
Question # 11
Which FortiAnalyzer feature uses the SIEM database for advance log analytics and monitoring?
A.
Threat hunting
B.
Asset Identity Center
C.
Event monitor
D.
Outbreak alerts
Full Access
Answer:
A
Explanation:
Understanding FortiAnalyzer Features:
FortiAnalyzer includes several features for log analytics, monitoring, and incident response.
The SIEM (Security Information and Event Management) database is used to store and analyze log data, providing advanced analytics and insights.
Evaluating the Options:
Option A: Threat hunting
Threat hunting involves proactively searching through log data to detect and isolate threats that may not be captured by automated tools.
This feature leverages the SIEM database to perform advanced log analytics, correlate events, and identify potential security incidents.
Option B: Asset Identity Center
This feature focuses on asset and identity management rather than advanced log analytics.
Option C: Event monitor
While the event monitor provides real-time monitoring and alerting based on logs, it does not specifically utilize advanced log analytics in the way the SIEM database does for threat hunting.
Option D: Outbreak alerts
Outbreak alerts provide notifications about widespread security incidents but are not directly related to advanced log analytics using the SIEM database.
Conclusion:
The feature that uses the SIEM database for advanced log analytics and monitoring in FortiAnalyzer isThreat hunting.
[References:, Fortinet Documentation on FortiAnalyzer Features and SIEM Capabilities., Security Best Practices and Use Cases for Threat Hunting., , , ]
Question # 12
Which of the following are critical when analyzing and managing events and incidents in a SOC? (Choose two answers)
A.
Accurate detection of threats
B.
Immediate escalation for all alerts
C.
Rapid identification of false positives
D.
Periodic system downtime for maintenance
Full Access
Answer:
A, C
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
In a modern Security Operations Center (SOC) environment powered byFortiSIEM 7.3andFortiSOAR 7.6, the efficiency of the incident response lifecycle depends on two primary pillars of analysis:
Accurate detection of threats (A):The primary goal of a SOC is to identify genuine malicious activity. Using FortiSIEM's correlation rules and machine learning (UEBA), the system must be tuned to detect patterns that signify real risk. Accuracy ensures that the SOC is not blinded by noise and can focus on critical security events that impact the organization's posture.
Rapid identification of false positives (C):"Alert Fatigue" is one of the greatest challenges in a SOC. Analysts must be able to quickly distinguish between legitimate anomalies (false positives) and actual threats.FortiSOARassists in this by using automated playbooks to perform initial triage and "pre-processing"—such as checking IP reputations or verifying user activity—to automatically close or demote alerts that do not represent a true threat, thereby freeing up analysts for high-priority investigations.
Why other options are incorrect:
Immediate escalation for all alerts (B):This is a poor SOC practice. Escalating every alert without triage leads to analyst burnout and overloads senior responders with low-value tasks. The goal of a tiered SOC (Tier 1, Tier 2, Tier 3) is to filter alerts so only significant incidents are escalated.
Periodic system downtime (D):SOC systems (SIEM/SOAR) are considered "Mission Critical" and must operate on a24/7/365basis. Maintenance should be performed using High Availability (HA) configurations or during "low-flow" windows without causing a complete stop in monitoring, as attackers often leverage downtime to strike.
Question # 13
When you use a manual trigger to save user input as a variable, what is the correct Jinja expression to reference the variable? (Choose one answer)
A.
{{ vars.input.params.
B.
{{ globalVars.
C.
{{ vars.item.
D.
{{ vars.steps.
Full Access
Answer:
A
Explanation:
Comprehensive and Detailed Explanation From FortiSOAR 7.6., FortiSIEM 7.3 Exact Extract study guide:
InFortiSOAR 7.6, the playbook engine utilizes Jinja2 expressions to handle dynamic data. When a playbook is configured with aManual Trigger, the administrator can define input fields (such as text, picklists, or checkboxes) that an analyst must fill out when executing the playbook from a record.
Input Parameter Mapping:Any data entered by the user during this manual trigger phase is automatically mapped to the input.params dictionary within the vars object. Therefore, the syntax to retrieve a specific input value is {{ vars.input.params.variable_name }}.
Scope of Variables:This specific path ensures that the variable is pulled from the initial user input rather than from the output of a subsequent step (vars.steps) or a globally defined variable (globalVars).
Question # 14
When does FortiAnalyzer generate an event?
A.
When a log matches a filter in a data selector
B.
When a log matches an action in a connector
C.
When a log matches a rule in an event handler
D.
When a log matches a task in a playbook
Full Access
Answer:
C
Explanation:
Understanding Event Generation in FortiAnalyzer:
FortiAnalyzer generates events based on predefined rules and conditions to help in monitoring and responding to security incidents.
Analyzing the Options:
Option A:Data selectors filter logs based on specific criteria but do not generate events on their own.
Option B:Connectors facilitate integrations with other systems but do not generate events based on log matches.
Option C:Event handlers are configured with rules that define the conditions under which events are generated. When a log matches a rule in an event handler, FortiAnalyzer generates an event.
Option D:Tasks in playbooks execute actions based on predefined workflows but do not directly generate events based on log matches.
Conclusion:
FortiAnalyzer generates an event when a log matches a rule in an event handler.
[References:, Fortinet Documentation on Event Handlers and Event Generation in FortiAnalyzer., Best Practices for Configuring Event Handlers in FortiAnalyzer., , , ]
Question # 15
Refer to the exhibits.
The Malicious File Detect playbook is configured to create an incident when an event handler generates a malicious file detection event.
Why did the Malicious File Detect playbook execution fail?
A.
The Create Incident task was expecting a name or number as input, but received an incorrect data format
B.
The Get Events task did not retrieve any event data.
C.
The Attach_Data_To_lncident incident task wasexpecting an integer, but received an incorrect data format.
D.
The Attach Data To Incident task failed, which stopped the playbook execution.
Full Access
Answer:
A
Explanation:
Understanding the Playbook Configuration:
The "Malicious File Detect" playbook is designed to create an incident when a malicious file detection event is triggered.
The playbook includes tasks such as Attach_Data_To_Incident, Create Incident, and Get Events.
Analyzing the Playbook Execution:
The exhibit shows that the Create Incident task has failed, and the Attach_Data_To_Incident task has also failed.
The Get Events task succeeded, indicating that it was able to retrieve event data.
Reviewing Raw Logs:
The raw logs indicate an error related to parsing input in the incident_operator.py file.
The error traceback suggests that the task was expecting a specific input format (likely a name or number) but received an incorrect data format.
Identifying the Source of the Failure:
The Create Incident task failure is the root cause since it did not proceed correctly due to incorrect input format.
The Attach_Data_To_Incident task subsequently failed because it depends on the successful creation of an incident.
Conclusion:
The primary reason for the playbook execution failure is that the Create Incident task received an incorrect data format, which was not a name or number as expected.
[References:, Fortinet Documentation on Playbook and Task Configuration., Error handling and debugging practices in playbook execution., , , , ]
Question # 16
Which statement describes automation stitch integration between FortiGate and FortiAnalyzer?
A.
An event handler on FortiAnalyzer executes an automation stitch when an event is created.
B.
An automation stitch is configured on FortiAnalyzer and mapped to FortiGate using the FortiOS connector.
C.
An event handler on FortiAnalyzer is configured to send a notification to FortiGate to trigger an automation stitch.
D.
A security profile on FortiGate triggers a violation and FortiGate sends a webhook call to FortiAnalyzer.
Full Access
Answer:
D
Explanation:
Overview of Automation Stitches: Automation stitches in Fortinet solutions enable automated responses to specific events detected within the network. This automation helps in swiftly mitigating threats without manual intervention.
FortiGate Security Profiles:
FortiGate uses security profiles to enforce policies on network traffic. These profiles can include antivirus, web filtering, intrusion prevention, and more.
When a security profile detects a violation or a specific event, it can trigger predefined actions.
Webhook Calls:
FortiGate can be configured to send webhook calls upon detecting specific security events.
A webhook is an HTTP callback triggered by an event, sending data to a specified URL. This allows FortiGate to communicate with other systems, such as FortiAnalyzer.
FortiAnalyzer Integration:
FortiAnalyzer collects logs and events from various Fortinet devices, providing centralized logging and analysis.
Upon receiving a webhook call from FortiGate, FortiAnalyzer can further analyze the event, generate reports, and take automated actions if configured to do so.
Detailed Process:
Step 1: A security profile on FortiGate triggers a violation based on the defined security policies.
Step 2: FortiGate sends a webhook call to FortiAnalyzer with details of the violation.
Step 3: FortiAnalyzer receives the webhook call and logs the event.
Step 4: Depending on the configuration, FortiAnalyzer can execute an automation stitch to respond to the event, such as sending alerts, generating reports, or triggering further actions.
Fortinet Documentation: FortiOS Automation Stitches
FortiAnalyzer Administration Guide: Details on configuring event handlers and integrating with FortiGate.
FortiGate Administration Guide: Information on security profiles and webhook configurations.
By understanding the interaction between FortiGate and FortiAnalyzer through webhook calls and automation stitches, security operations can ensure a proactive and efficient response to security events.
Question # 17
Refer to the exhibit.
You notice that the custom event handler you configured to detect SMTP reconnaissance activities is creating a large number of events. This is overwhelming your notification system.
How can you fix this?
A.
Increase the trigger count so that it identifies and reduces the count triggered by a particular group.
B.
Disable the custom event handler because it is not working as expected.
C.
Decrease the time range that the custom event handler covers during the attack.
D.
Increase the log field value so that it looks for more unique field values when it creates the event.
Full Access
Answer:
A
Explanation:
Understanding the Issue:
The custom event handler for detecting SMTP reconnaissance activities is generating a large number of events.
This high volume of events is overwhelming the notification system, leading to potential alert fatigue and inefficiency in incident response.
Event Handler Configuration:
Event handlers are configured to trigger alerts based on specific criteria.
The frequency and volume of these alerts can be controlled by adjusting the trigger conditions.
Possible Solutions:
A. Increase the trigger count so that it identifies and reduces the count triggered by a particular group:
By increasing the trigger count, you ensure that the event handler only generates alerts after a higher threshold of activity is detected.
This reduces the number of events generated and helps prevent overwhelming the notification system.
Selected as it effectively manages the volume of generated events.
B. Disable the custom event handler because it is not working as expected:
Disabling the event handler is not a practical solution as it would completely stop monitoring for SMTP reconnaissance activities.
Not selected as it does not address the issue of fine-tuning the event generation.
C. Decrease the time range that the custom event handler covers during the attack:
Reducing the time range might help in some cases, but it could also lead to missing important activities if the attack spans a longer period.
Not selected as it could lead to underreporting of significant events.
D. Increase the log field value so that it looks for more unique field values when it creates the event:
Adjusting the log field value might refine the event criteria, but it does not directly control the volume of alerts.
Not selected as it is not the most effective way to manage event volume.
Implementation Steps:
Step 1: Access the event handler configuration in FortiAnalyzer.
Step 2: Locate the trigger count setting within the custom event handler for SMTP reconnaissance.
Step 3: Increase the trigger count to a higher value that balances alert sensitivity and volume.
Step 4: Save the configuration and monitor the event generation to ensure it aligns with expected levels.
Conclusion:
By increasing the trigger count, you can effectively reduce the number of events generated by the custom event handler, preventing the notification system from being overwhelmed.
Fortinet Documentation on Event Handlers and Configuration FortiAnalyzer Administration Guide
Best Practices for Event Management Fortinet Knowledge Base
By increasing the trigger count in the custom event handler, you can manage the volume of generated events and prevent the notification system from being overwhelmed.
