FCP_FAZ_AN-7.6 Fortinet NSE 5 - FortiAnalyzer 7.6 Analyst Questions and Answers

Exact Extract: Study Guide p.185: reports can be attached to incidents manually from an existing report, manually from an incident, or automatically through playbooks.

Technical Deep Dive: The correct answer is A. Incidents are containers for related security events, and attaching a report gives the analyst historical or contextual evidence in addition to real-time event data. Option B is wrong because incident status is managed independently from attached event status. Option C is not a FortiAnalyzer default rule from the guide; SLA response times are organization-specific. Option D is wrong because incidents can be opened and analyzed directly; acknowledgment is not a prerequisite to analysis.

Exact Extract: Study Guide p.217: zipped/base64 encoded JSON is one of the playbook export data types.

Technical Deep Dive: The correct answer is A. The exhibit shows encoded data rather than readable plain-text JSON, which indicates the playbook was exported in the zipped/base64 encoded format. That does not mean the playbook is misconfigured. It also does not prove connectors were excluded; connector inclusion is a separate export option. There is no indication of password protection. The key visual clue is that the export contains encoded data plus integrity information instead of a readable JSON playbook structure.

Exact Extract: Study Guide p.118: token usage includes prompt and response; more text and larger responses consume more tokens.

Technical Deep Dive: The correct answer is A. The best low-token prompt is concise and scoped: it specifies the endpoint and limits the response to the past week. Option C is verbose and asks for all log entries, increasing both input and output tokens. Option B asks for all logs for the past week without limiting to an endpoint, which can generate a large response. Option D is short, but it lacks a time window, so it can produce a broader and more token-heavy response than option A.

Exact Extract: Study Guide p.172: templates include only Editor-tab details and do not include report settings or advanced settings.

Technical Deep Dive: The correct answer is C. Templates define the report layout: text, charts, and macros. They do not carry report settings such as the report time range, selected devices, scheduling, filters, output profile, or advanced settings. Reports include those operational settings. Option A is wrong because templates can include macros. Option B is wrong because both reports and templates can be cloned. Option D is imprecise: reports/charts can be imported/exported between same-type ADOMs, while templates are not exported directly, but the tested difference is settings.

Exact Extract: Study Guide p.216: playbook jobs with one or more failed tasks are labeled Failed, even if some actions succeeded.

Technical Deep Dive: The correct answer is C. FortiAnalyzer marks the overall playbook job as Failed when any task in the job fails. That does not mean every task failed; it means the job requires review because the workflow did not complete cleanly. Option A is not the status described in the FortiAnalyzer guide for this scenario. Option B is a task-dependency style outcome, not the overall job status tested here. Option D is wrong because success requires all required tasks to complete successfully.

Exact Extract: Study Guide p.182: auto-cache reduces report generation time and updates hcache automatically when new logs arrive.

Technical Deep Dive: The correct answers are A and B. Auto-cache improves report performance by maintaining the report hard-cache data so FortiAnalyzer does not have to build it from scratch at report-generation time. The guide explicitly states that enabling auto-cache updates hcache when new logs arrive and new log tables are generated. Option C is inaccurate because hcache stores precompiled SQL data, not the generated report files themselves. Option D is wrong because auto-cache improves processing time, not the final report size.

Exact Extract: Study Guide p.107: FortiAnalyzer can send incident notifications to external platforms using Fabric connectors; more than one connector can be added.

Technical Deep Dive: The correct answer is A. Incident update notifications are not restricted to email. FortiAnalyzer can use configured Fabric connectors to notify external collaboration or response platforms, and each connector can be configured for the incident activities that should trigger a notification. Option B is too narrow because email is only one possible delivery model. Option C is wrong because multiple connectors do not have to share identical settings. Option D is wrong because notification triggers are configurable for different incident activities, not only update or delete events.

Exact Extract: Study Guide p.184: templates and datasets cannot be exported directly; chart exports include the associated dataset.

Technical Deep Dive: The correct answer is C. In Report Definitions, the export/import rule is specific: reports and charts can be moved, templates and datasets cannot be exported directly. When a chart is exported, the dataset associated with that chart is included automatically, so importing the chart also imports the dataset. Option A is wrong because templates cannot be exported. Option B is wrong for the same reason. Option D is wrong because datasets are not directly exportable as standalone objects.

Exact Extract: Study Guide p.130-p.132: blacklisted IP or DGA matches produce an Infected verdict and appear under Compromised Hosts.

Technical Deep Dive: The correct answer is B. When IOC analysis finds web logs matching blacklisted IP addresses or domain-generation algorithm patterns, FortiAnalyzer treats that as a real breach and creates/updates an infected compromised-host entry for the endpoint. Option A describes suspicious-list behavior, where FortiAnalyzer flags the host for further analysis. Option C is wrong because blacklisted matches are classified as Infected, not merely Suspicious. Option D overstates the automatic endpoint response; quarantine is a separate response action, not the IOC engine classification itself.

Exact Extract: Study Guide p.107: more than one Fabric connector can be configured, with the same or different notification settings.

Technical Deep Dive: The correct answer is A. FortiAnalyzer can send incident status-change notifications through external platform connectors, and each connector can have its own settings. That flexibility lets a SOC notify Teams, ticketing, or other platforms differently depending on the connector and activity type. Option B is wrong because the guide permits multiple connectors. Option C confuses report output profiles with incident notifications. Option D is too narrow because notifications are not limited only to created or deleted incidents.

Exact Extract: Study Guide p.82: " Unhandled " indicates the security event risk is considered open.

Technical Deep Dive: The displayed event is best interpreted as open/unhandled, so the correct answer is C. In FortiAnalyzer, event status is not just a label; it tells the analyst whether the risk still requires action. A risk source being isolated would map to Contained, while traffic being blocked or dropped maps to Mitigated. An incident being created from an event is a separate workflow action and cannot be concluded from the event status alone unless the exhibit explicitly shows the incident linkage.

Exact Extract: Study Guide p.54: custom views save search filters, device, and time period for repeated Log View searches.

Technical Deep Dive: The correct answer is B. A custom view is designed for exactly this use case: an analyst repeatedly searches Log View with the same filters and wants to avoid rebuilding them every time. A custom dashboard shows widgets and summary data but does not preserve a Log View search workflow. A data selector is used mainly as a reusable filter for event handlers and related features. A macro is for report data extraction, not for reusing interactive log-search parameters.

Exact Extract: Study Guide p.157-p.158: report datasets use SQL SELECT queries, and clauses must be in the correct order.

Technical Deep Dive: The correct answer is A. The valid query must select the required fields, read from $log, apply the filter for the source IP, group the selected values, and order the output as expected. Option A follows the SQL structure FortiAnalyzer expects for report datasets. The incorrect options either reverse the filter logic, place clauses in the wrong order, or use malformed aliases/conditions. In FortiAnalyzer reporting, a syntactically correct dataset is mandatory because the chart receives only the data returned by that SQL SELECT query.

Exact Extract: Study Guide p.39: rolled log files are compressed, receive the .gz extension, and are known as archive logs.

Technical Deep Dive: The correct answer is C. FortiAnalyzer stores received logs first as log files and also indexes them for analytics. When the log file rolls over, FortiAnalyzer renames it, timestamps it, and compresses it into a .gz file. That compressed offline file is the archive log. Option A describes analytics logs in the SQL database. Option B is wrong because FortiView uses analytics logs, not archive logs. Option D confuses archive status with device availability; a log is archived because of the storage workflow, not because the source device is offline.

Exact Extract: Study Guide p.134-p.135: Outbreak Detection Service is licensed and downloads related event handlers and reports from FortiGuard.

Technical Deep Dive: The correct answers are A and B. The Outbreak Detection Service requires a license and allows FortiAnalyzer to receive outbreak alerts and automatically download related event handlers and reports created by Fortinet for emerging threats. Option C is wrong because outbreak alerts are available on all ADOMs, not root only. Option D is not the core mechanism described in the guide; the feature is FortiGuard-delivered content within FortiAnalyzer, not simply email-based alerting.

Exact Extract: Study Guide p.22-p.24: analyzer is the default mode; collector mode forwards logs, including to syslog/CEF, and mixed deployments improve scale.

Technical Deep Dive: The correct answers are A and D. In collector mode, FortiAnalyzer collects logs and forwards them to another analyzer, syslog server, or CEF server depending on forwarding mode. A topology using both collectors and analyzers can improve performance and regional scalability by offloading collection and keeping analysis/reporting on analyzer devices. Option B is wrong because analyzer mode is the default, not collector mode. Option C is wrong because collector mode has fewer features and does not provide reporting or event-management capabilities.

Exact Extract: Study Guide p.64-p.65: FortiView summarizes threats and can export FortiView information as a PDF file.

Technical Deep Dive: The correct answer is D. FortiView provides dashboard views such as Threats, where identified threats within a selected timeframe are summarized and organized for analysis. The guide also states FortiView information can be exported as a PDF. Log Browse and Log View are useful for searching individual logs, but they do not provide the same threat-summary dashboard workflow. Fabric View is for Security Fabric topology and inventory context, not top-threat investigation and PDF export.

Exact Extract: Study Guide p.216: Playbook Monitor provides detailed logs, and failed jobs may include successful individual tasks.

Technical Deep Dive: The correct answers are B and D. Playbook Monitor is the troubleshooting location for playbook execution, and View Log shows task-level detail for the job. A failed playbook job does not mean every task failed; the guide explicitly notes some individual actions may complete successfully. Option A is wrong because FortiAnalyzer does not roll back all completed external or local actions just because a later task failed. Option C is not described as a default debugging playbook workflow in the guide.

Exact Extract: Study Guide p.65: FortiView threat widgets show top threats and drilldowns such as IPS events, CVEs, attack vectors, and affected hosts.

Technical Deep Dive: The correct answer is C. The FortiView top-threat view is used to identify the threat type and the affected destination/application context. The exhibit supports the conclusion that an SQL injection attack occurred against an application. Option A names a different attack and target. Option B is too broad; the widget display does not prove FortiAnalyzer logged only three IPS attack types in total. Option D is a prioritization judgment not supported by the exhibit; FortiView shows severity and counts, but the analyst still assesses business impact.

Exact Extract: The FortiAnalyzer 7.6 Analyst Study Guide states that to understand log volume and disk quota, administrators can use CLI commands “to gather log rate and device usage statistics.” It separately states that to understand “the log rate and log volume per ADOM,” administrators use CLI commands that gather “log rate and volume statistics” per ADOM. The guide also explains a different dashboard metric, Insert Rate vs Receive Rate , where receive rate is the rate raw logs reach FortiAnalyzer and insert rate is the rate logs are indexed by the SQL database and sqlplugind daemon.

Technical Deep Dive: The correct answer is B because the exhibit shows the commands:

diagnose fortilogd lograte

diagnose fortilogd msgrate

These commands display FortiAnalyzer-wide log/message rate statistics for recent intervals: last 5 seconds, last 30 seconds, and last 60 seconds. The output does not show an ADOM name, ADOM ID, device name, log type breakdown, traffic/event category, or per-ADOM quota field. Therefore, the safest conclusion from the exhibit is that this output is not ADOM-specific .

Option A is wrong because the exhibit is not showing indexing values. Indexing health is normally evaluated using insert rate , receive rate , and log insert lag time , which relate to how quickly FortiAnalyzer inserts logs into the SQL database. The exhibit only shows fortilogd log rate and message rate, not SQL insert/indexing lag.

Option C is wrong because there is no breakdown between traffic logs and event logs. The output gives only aggregate rate values, so you cannot conclude whether traffic logs outnumber event logs.

Option D is wrong because a higher log rate than message rate is not automatically abnormal. The output simply shows two different rate counters. Nothing in the exhibit indicates a fault condition, queue buildup, SQL lag, or database indexing issue.