FCP_FAZ_AN-7.6

The playbook shown in the exhibit requires fine-tuning. A task needs to be configured to run a report on the updated asset list that the FortiAnalyzer receives from the FortiClient EMS. Which SOC role is responsible for making this change?. Threat hunter. SOC engineer. Security analyst. Incident responder.

What is the analyst trying to create?. A trigger variable to use in a playbook. A SOC report in a playbook. A report in a playbook. An output variable to use in a playbook.

What is the purpose of running the command diagnose sql status sqlreportd?. To identify the configuration status of all configured reports. To view a list of current reports that are running. To display the SQL query connections and hcache status. To list the current running SQL processes.

What does the data point at 21:20 indicate?. FortiAnalyzer is indexing logs faster than logs are being received. The sqlpugind daemon is behind in receiving logs by one log. The fortilogd daemon is ahead in indexing by one log. The log insert lag time is high.

Which two conclusions can you make about these search results? (Choose two.). The logs have been parsed by FortiGate log parser. They were searched using text mode. They are sortable by columns and customizable. They can be downloaded to a CSV file.

In your role as an analyst, you frequently search the log view using the same parameters. Instead of defining the same search filters repeatedly, what can you do to save time?. Configure a custom dashboard. Configure a chart template and apply it to device groups. Configure a report template. Configure a custom view.

What can you conclude from this output?. The allocated disk quota to ADOM1 is 3 GB. There is no disk quota allocated to quarantining files. Archive logs are using more space than analytic logs. ADOM1 has 300 MB of disk space remaining.

What are the two methods you can use to send notifications when an event is generated by an event handler? (Choose two.). Send an alert through the FortiGuard server. Send an alert through Fabric connectors. Send SMS notification. Send SNMP trap.

Which two parameters does FortiAnalyzer use to identify an indicator of compromise (IOC)? (Choose two.). Application category. IP address. URL. Policy ID.

An analyst needs to move reports between two ADOMs. Which two statements are true? (Choose two.). All charts and datasets associated with the reprt will be imported together. The date and time will be appended to the original report name to avoid conflicts. The ADOMs must be compatible types. The reports must be converted into templates first.

What can you conclude about the output?. The output is ADOM specific. Both messages and logs are almost finished indexing. The message rate being higher than the log rate is not normal. There are more traffc logs than event logs.

In a FortiAnalyzer Fabric deployment, which three modules from Fabric members are available for analysis on the supervisor? (Choose three.). Reports. Playbooks. Logs. Indicators. Events.

You must find a specific security event log in the FortiAnalyzer logs displayed in FortiView, but so far, you have been unsuccessful. Which two tasks should you perform to investigate why you are having this issue? (Choose two.). Review the ADOM data policy. Check logs in Log Browse. Disable FortiView using the CLI and then enable it again. Rebuild the SQL database and check FortiView.

What are two effects of enabling auto-cache in a FortiAnalyzer (Choose two.). The size of newly generated reports is optimized to conserve disk space. The hcache data is updated automatically when new logs are received. The report generation time is reduced. FortiAnalyzer local cache is used to store generated reports.

When managing incidents on FortiAnalyzer, which fact must an analyst be aware of?. The status of the incident is always linked to the status of the attached event. A playbook can be run from the Incidents page. Incidents must be acknowledged before they can be analyzed. Indicators found on the Incidents page can be enriched only from the Indicators page.

Which two statements about local logs on FortiAnalyzer are true? (Choose two.). Playbook logs for all ADOMs are in the root ADOM. Application control logs are ADOM specific. Local logs are not displayed in FortiView. Event logs are available in the root ADOM.

Which three modules does FortiAnalyzer automatically download content from with a valid SOC Automation service license? (Choose three.). Report templates. Dashboards. Event handlers. Active Connectors. Playbooks. Incident templates.

Which three types of indicators can FortiAnalyzer identify? (Choose three.). Email address. Host name. Domain. URL. IP address.

You created a playbook on FortiAnalyzer that uses a FortiOS connector. When you configure FortiGate, which type of trigger must you use so that the actions in an automation stitch are available in the FortiOS connector?. Fabric Connector event. Incoming webhook. IP ban. FortiAnalyzer Event Handler.

After generating a report you notice that the information you were expecting to see is not included in that report. However, you confirm that the logs are there. Which two actions must you perform? (Choose two.). Test the dataset. Check the time frame covered by the report. Increase the report utilization quota. Enable auto-cache.

Which two observations can you make after reviewing this log entry? (Choose two.). This is a formatted view of the log. This is a normalized log. This log is in a raw log format. This is the original log that FortiAnalyzer received from FortiGate.

Which three types of traffc does the safeguarding event handler scan? (Choose three.). Web. Application. VoIP. Email. DNS.

You are trying to configure a task in the playbook editor to run a report. However, when you try to select the desired report you do not see it listed. What is the reason?. The report template needs to be switched to one that is available for playbooks. You must create a trigger to run the report first. The playbook is currently running and the report will be available after it is finished. The report does not have auto-cache and extended log filtering enabled.

Which two actions should you take to view compromised hosts on FortiAnalyzer? (Choose two.). Enable device detection on FortiGate devices that are sending logs to FortiAnalyzer. Enable web filtering in firewall policies on FortiGate devices, and make sure the FortiGate logs are sent to FortiAnalyzer. Subscribe FortiAnalyzer to FortiGuard to keep its local threat database up to date. Subscribe to the Outbreak Detection Service so that the FortiAnalyzer has the latest event handlers.

What is the purpose of using the Chart Builder feature on FortiAnalyzer7?. To build a chart automatically based on the top 100 log entries. To add charts to generate directly in the current ADOM. To add a new chart under FortiView to be used in new reports. To build a dataset and chart based on the filtered search results.

A FortiAnalyzer analyst is customizing a SQL query to use in a report. Which SQL query should the analyst run to get the expected results?. SELECT AS "Source IP", dstport AS "Destination Port" FROM $log WHERE $filter AND srcip = !'10.0.1.10' GROUP BY Source IP, Destination Port ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" FROM $log WHERE $filter AND srcip = '10.0.1.10' GROUP BY srcip, dstport ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" FROM $log WHERE $filter AND Source IP != '10.0.1.10' GROUP BY srcip, dstport ORDER BY dstport DESC. SELECT srcip AS "Source IP", dstport AS "Destination Port" ORDER BY dstport DESC GROUP BY srcip, dstport FROM $log WHERE $filter AND srcip = '10.0.1.10'.

Which statement describes archive logs on FortiAnalyzer?. Logs that are parsed and normalized by FortiAnaIyzer and available in the log view. Logs received from other FortiAnaIyzer devices. Logs compressed and saved in files with the .gz extension. Logs that are indexed and stored in the SQL database.

Which operation can you use SQL SELECT queries for?. To alter tables in the database. To purge log entries from the database. To insert new data into an existing table. To display the database schema.

Which statement about automation connectors on FortiAnalyzer is true?. An ADOM with the Fabric type comes with multiple connectors configured. The local connector comes online once you have a playbook task referencing it. The actions available with FortiOS connectors are determined by automation rules configured on FortiGate. The playbook module must be enabled before external connectors are displayed.

When there are no matching parsers for a device log, what does FortiAnalyzer do?. Stores the log but doesn't normalize it. Applies the generic SYSLOG parser. Drops the log. Archives the log for future analysis.

What is the purpose of running the command diagnose status sglplugind?. To identify the database log insertion status. To list the current running SQL processes. To view the amount of time between log received and log inserted into the database. To display the SQL query connections and hcache status.

Client-1 is trying to access the internet for web browsing. All FortiGate devices in the topology are part of a Security Fabric with logging to FortiAnaIyzer configured. All firewall policies have logging enabled. All web filter profiles are configured to log only violations. Which statement about the logging behavior for this specific traffc flow is true?. FGT-A will create all traffc logs except for security logs. FGT-A will create logs for web filter events only if FGT-B did not already detect a violation. FGT-A will see the MAC address of FGT-B in the packets and know it does not need to log this flow. Both FGT-A and FGT-B will create traffic logs.

How does FortiAnalyzer block indicators?. It uses a webhook to allow FortiGate to send the block list. It uses a FortiCIient EMS connector to send the block list. It uses a FortiManager connector to send the block list. It uses an automation script to update FortiGate with the block list.

What does the orange status indicator on the FortiGuard Connector indicate?. The connection is down. The connection is successful. The connection is unknown. The connection is disconnected.