FCSS_ADA_AR-6.7 FCSS Advanced Analytics 6.7 Architect Questions and Answers

When a FortiSIEM collector is deployed for the first time, most of its processes remain down until it is successfully registered with the supervisor.

The phMonitor process is running because it monitors system health, but other services remain inactive until the collector establishes communication with the supervisor.

Once the collector registers to the supervisor, it receives configurations and policies, and its processes will start automatically.

The administrator is running an analytic search that groups results bySource IP, Reporting IP, and User, and filters only those with aCOUNT >= 3.

Looking at the data:

●Adminhas three failed attempts from thesame Source IP (203.0.113.4)andReporting IP (10.0.1.99).

●JanandSarahappear onlyonce or twicein the dataset.

●Tomhasmultiple entries, but they are fromdifferent Source IPs and Reporting IPs, meaning they are not counted as three under the same group.

phRuleMaster runs on both the supervisor and worker nodes, allowing distributed event processing. It receives filtered data from phRuleWorkers and organizes it into buckets before evaluation. Every 30 seconds, it processes the rule data in parallel, ensuring efficient rule execution. The incorrect options suggest that phRuleMaster runs only on the supervisor or evaluates rules sequentially, both of which are inaccurate.

The phProvisionCollector command is used to register a collector to the supervisor in FortiSIEM. The correct syntax requires:

● User → The admin username for authentication.

● Password → The password for authentication.

● Super IP → The IP address of the supervisor, which manages the collector.

● Organization → The organization to which the collector belongs.

● Worker Name → The name of the worker node responsible for handling events from this collector.

Guaranteed Allocation:50 + 100 + 150 = 300 EPS

Actual (Incoming) Usage:25 + 50 + 75 = 150 EPS→ Unused from guarantees = 300 − 150 = 150 EPS

Burst Capacity (Licensed minus Guaranteed):520 − 300 = 220 EPS

Total Unused Capacity:150 + 220 = 370 EPS

As a Percentage of Licensed EPS:370/520 ≈ 71.15% → reported (after conversion/rounding) as ~71.460

The exhibit shows a FortiSIEM cluster deployed in a multi-tenant service provider environment, serving multiple customers. The architecture includes:

1. Customers with Collectors

Customer A and Customer B (AWS) have collectors deployed within their environments.

Collectors gather and forward logs to the FortiSIEM cluster for centralized analysis.

2. Customers Without Collectors

Customer C does not have a collector; instead, it sends logs directly to the FortiSIEM cluster.

3. Super Organization Managing Infrastructure

The service provider infrastructure devices (e.g., networking and security appliances) are managed directly by the FortiSIEM cluster.

This mixed setup, where some customers use collectors while others send logs directly, represents a hybrid deployment with and without collectors.

InFortiSIEM, when an agent isuninstalled from a Windows device, the deviceremains in the CMDB (Configuration Management Database)until it ismanually removed.

●Uninstalling the agent does not automatically remove the device from the CMDB.

● CMDB maintains discovered deviceseven if they no longer report logs, ensuring historical tracking.

● Administrators mustmanually deletethe device from theCMDB > Devicessection.

Group By automatically applies a COUNT aggregation.

When using Group By in FortiSIEM structured queries, it automatically applies a COUNT(*) function unless a different aggregation (such as SUM, AVG, or MAX) is specified. This helps summarize data by counting occurrences of grouped attributes.

Group By is applied to real-time and historical searches.

Grouping functions work in both real-time (live event monitoring) and historical (past event analysis) searches, making it useful for trend analysis, anomaly detection, and correlation.

TheLookupTableGetfunction is designed toenrich event databy referencing a lookup table. However, itcannot be used directly in analytic queriesfor filtering data before processing. Instead, it is meant to be applied as adisplay filterto enhance results after retrieval.

In the given query,LookupTableGet(MalwareIPList : Source IP : Confidence) >= 87is being used in afilter condition, which leads to an error because the function is not valid in this context. It should be appliedafterthe data is retrieved, not as a pre-processing filter.

Automatic remediation inFortiSIEMenablesreal-time responseto security threats without manual intervention. While this can improve response times, it also introducesrisksbecauseactions are taken automatically based on predefined rules, without human verification.

● Automated responsescould mistakenly block legitimate usersfrom critical systems or applications.

●Misconfigured rulesmightdisconnect essential systems, causing business disruptions.

● If an incident isa false positive,automatic remediation may interfere with normal operationsunnecessarily.

When a WAN link failure occurs between the collector and the supervisor in FortiSIEM:

● The collector does not discard events; instead, it buffers them until the connection is restored.

● The buffering limit is up to 1 GB after compression to optimize storage and prevent data loss.

● Once the WAN link is restored, buffered events are sent to the supervisor for processing.

When aWAN link failureoccurs between thecollectorand thesupervisorin FortiSIEM, the collectorbuffers event filesuntil the connection is restored. By default:

● Thecollector can store up to 10,000 event filesbefore reaching its buffer limit.

● Once the WAN link is restored, thecollector uploads the stored event filesto the supervisor for processing.

● If thebuffer limit is exceeded,older event files may be overwrittento make space for new ones.

In a nested event query, the inner query executes first, and its results feed into the outer query. Since the Source IP comes from the report "Failed Logons to Network Devices", which is part of the inner query, the nested time range applies to it. The other attributes, Reporting IP and Event Type, belong to the outer query and are not affected by the nested time range.

InFortiSIEM, collectors need to upload event logs to aworker nodefor processing. However, if there isno dedicated worker, thesupervisor can function as the workerto receive data.

● The error message suggests that aworker upload addressmust be defined before adding a collector.

● Since there isno dedicated worker, the administrator canset the Supervisor IP as the upload destinationto enable log collection.